4.2 talks about CRL's, as does 7.3, but most of the rest of theThis is a bit evil, yes. The recommended interpretation above should be that of the client, after consulting ALL revocation sources, including CRLs. All other parties should simply reply "unknown" when they run out of options.
doc seems to assume only OCSP will exist. For example, 4.7 suggests
that
In case the resulting status after an exhausted search is still
an error or status Unknown, the client SHOULD interpret that as Revoked with revocationReason certificateHold (that is, a non-definite revocation state), unless otherwise configured.
Note that "tryLater" is an error code, whereas "unknown" is a certificate status encoded in an otherwise perfectly fine and digitally signed OCSP response. Two completely different things, in other words.Experience with Grid / openssl use of CRLs and Netscape's OCSP client suggest to me that network failure and OCSP responder timeout should be considered as "unknown - tryLayer" (we can agree to that - similar to 4.7).
4.7. is about error handling and the unknown status code. Do you mean section 5.3 or 6.3?4.7 - discussion about delta CRL's.
This seems to be a discussion about 2 recommendations: 1) CA's - publish your CRL's directly to the (some) OCSP responder(s) 2) use delta CRL's to reduce size Can we slim down those 2 paras to essentially say just that?