4.2 talks about CRL's, as does 7.3, but most of the rest of the doc seems to assume only OCSP will exist. For example, 4.7 suggests that In case the resulting status after an exhausted search is still an error or status Unknown, the client SHOULD interpret that as Revoked with revocationReason certificateHold (that is, a non-definite revocation state), unless otherwise configured.
This is a bit evil, yes. The recommended interpretation above should be that of the client, after consulting ALL revocation sources, including CRLs. All other parties should simply reply "unknown" when they run out of options.
Experience with Grid / openssl use of CRLs and Netscape's OCSP client suggest to me that network failure and OCSP responder timeout should be considered as "unknown - tryLayer" (we can agree to that - similar to 4.7).
Note that "tryLater" is an error code, whereas "unknown" is a certificate status encoded in an otherwise perfectly fine and digitally signed OCSP response. Two completely different things, in other words.
4.7 - discussion about delta CRL's.
4.7. is about error handling and the unknown status code. Do you mean section 5.3 or 6.3?
This seems to be a discussion about 2 recommendations: 1) CA's - publish your CRL's directly to the (some) OCSP responder(s) 2) use delta CRL's to reduce size
Can we slim down those 2 paras to essentially say just that?