On Jun 2, 2005, at 18:04, Oscar Manso wrote:
In fact, the cautionary period can be inferred from the OCSP Response - and the CRL - by applying the formula
CautionaryPeriod = NextUpdate - ThisUpdate
The CautionaryPeriod indicates the interval of time during which a change on the status on a cert may not be reflected on the OCSP response being provided.
I think we are confusing two things here: latency and frequency. t0: CA operator presses the "revoke" button t1: CRL gets timestamped t2: CRL gets published t3: CRL is fetched /pushed over to OCSP responder t4: OCSP responder has updated its revocation database What you call CautionaryPeriod above defines an upper bound of the time between t1 of CRL#n to t2 of CRL#(n+1) -- that is, the frequency or interval with which updates will be available. While this is important, I would argue that a Cautionary Period as described in the RFC is the _latency_, i.e. the time between t0 and t4 for a particular revocation to get into effect. The document should be improved to cover both of these features and point out the issues associated with them. Does anyone have any better words than "publishing interval" (frequency?) and "cautionary period" (latency?) for these things? /Olle