On 3/29/13 5:17 PM, "Piyush Jain" <piyush@xxxxxxxxxxxx> wrote: >' "revoked" status is still optional in this context in order to maintain >backwards compatibility with deployments of RFC 2560.' > >I fail to understand this statement about backward compatibility. >How does "revoked" being "optional/required breaks backward compatibility? >The only reason cited in the WG discussions to use revoked for >"not-issued" >was that any other approach would break backward compatibility with legacy >clients. And now the draft says that revoked is optional because making it >required won't be backward compatible. Yes. Making it required would prohibit other valid ways to respond to this situation that is allowed by RFC 2560 and RFC 5019. Such as responding "good" or responding with "unauthorized" error. > >And it gives the impression that best course of action for 2560bis >responders is to start issuing revoked for "not-issued", which is far from >the originally stated goal to provide a way for CAs to be able to return >revoked for such serial numbers. The latter is what optional means. /Stefan