On 4/12/13 1:31 AM, "Henry B. Hotz" <hotz@xxxxxxxxxxxx> wrote: >What I would find helpful, and what I think some people really would >like, is for OCSP to be able to provide white-list information in >addition to the previous black-list information. When I read through >2560bis, I could not tell if there was an extension which would allow an >RP to tell if "good" actually meant a cert was on the white list (and to >know the responder has the white list), or merely not on the black list. >(Yes, I'm repeating myself. Am I making more sense, or just wasting >everyone's time?) What we have done is to roll out the red carpet and made it possible for you to do that. - The only thing you need to do now is to define a "white-list" extension. To put it simply. Given how OCSP is designed, the only way to allow "good" to represent a white-list, is if "revoked" can be returned for everything else. Everything else in this context means every other revoked or non-issued certificate serial number under that CA. With RFC 2560 that is not possible in a clean way. With this new extension in RFC 2560bis, it is now possible.