Re: crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API]

On Sun, Aug 5, 2012 at 9:58 PM, Mountie Lee <> wrote:
> Hi.
> for determining key expiration,
> are CRL or OCSP in scope of low level api?
> regards
> mountie.

No. CRL and OCSP represent high-level protocols, and are only relevant
in the context of a specific certificate.

For example, a given key may have multiple certificates associated
with it (crypto-ISSUE-15). As such, it's possible to imagine a
scenario where one of the certificates has been revoked by the issuer,
while another has it still valid.

This is similar to the issue I note with overlapping validity dates.

With the low-level API, however, it's certainly possible to integrate
a CRL or OCSP checker, if there is a particular certificate to be
checked. The low-level API provides sufficient primitives that,
combined with XMLHttpRequest, an application could generate an OCSP
request, or parse a CRL or OCSP response.


Received on Monday, 6 August 2012 05:12:43 UTC