In 95%+ of the cases, I would agree with you. However, there is a discussion about this already in Section 4.2, which concludes that we cannot make this kind of general judgement (local Trusted responder, Authorized responder, CRLs) for all deployment scenarios. I suggest to change the text in 4.7, along the lines of: In case the Unknown state is returned, it is left to local policy and application-level logic to determine a suitable action. As a default, we recommend that applications behave as if they would had they received a Revoked state with revocationReason certificateHold (that is, a temporal revocation state). OK? /Olle On Jun 2, 2005, at 18:05, Oscar Manso wrote:
Search revocation information in preference order clients should validate local Trusted OCSP responders first, Authorized OCSP responders next and then CRLs First final answer ends the search. (understanding by final answer a valid or invalid one).