* Page 7, section 5.5: the paragraph suggesting the use of Delta CRLs to obtain Proxy Certificate´s status has been deleted ("Another option refers to using OCSP in a Push Operation Mode as mentioned in section 6.3, where relying parties SHOULD obtain revocation information through its OCSP service provider as soon as it is updated by the corresponding CA through Delta-CRLs"). Only as a way to let the reader know about this possibility, don't you think that it is worth to keep?

For an EE to "register" a proxy certificate with an OCSP responder, we will require a protocol, and/or extensions to an existing protocol. Why cannot the "disabling" of a previously registered proxy cert use the same channel? The two operations are about making changes to the responder's revocation database, so for me it makes sense to have them tightly coupled. I don't rule out the use of Delta CRLs, but a Delta must be built relative to a full CRL, which must be referenced. What is the full CRL of an EE? In addition, support would have to be added in the responder validation routines to allow EE (or proxies thereof?) certs to sign CRLs. Overall, this smells too much of a hack to me. /Olle