Re: [caops-wg] OCSP section 6.3

[Olle Mulmo <mulmo@xxxxxxxxxx>]

On Jun 2, 2005, at 18:04, Oscar Manso wrote:

> In fact, the cautionary period can be inferred
> from the OCSP Response - and the CRL - by applying the formula
>
> 	CautionaryPeriod = NextUpdate - ThisUpdate
>
> The CautionaryPeriod indicates the interval of time during which a 
> change on
> the status on a cert may not be reflected on the OCSP response being
> provided.
I think we are confusing two things here: latency and frequency.

t0: CA operator presses the "revoke" button
t1: CRL gets timestamped
t2: CRL gets published
t3: CRL is fetched /pushed over to OCSP responder
t4: OCSP responder has updated its revocation database

What you call CautionaryPeriod above defines an upper bound of the time 
between t1 of CRL#n to t2 of CRL#(n+1) -- that is, the frequency or 
interval with which updates will be available. While this is important, 
I would argue that a Cautionary Period as described in the RFC is the 
_latency_, i.e. the time between t0 and t4 for a particular revocation 
to get into effect.

The document should be improved to cover both of these features and 
point out the issues associated with them. Does anyone have any better 
words than "publishing interval" (frequency?) and "cautionary period" 
(latency?) for these things?

/Olle