Regarding defining OCSP URL for revoked certificates

Wireless-Innovation-Forum / Citizens-Broadband-Radio-Service-Device

Apache License 2.0

31 stars 19 forks source link

Regarding defining OCSP URL for revoked certificates #117

Open pawan25062 opened 6 years ago

pawan25062 commented 6 years ago

Hi Idan,

We tried to create certificates with CRL extensions. But need clarify that why OCSP and CRL both URLs needed in certificates:

        Authority Information Access:
            OCSP - URI:http://ocsp.testharness.cbsd.winnf.github.com/

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://testharness.cbsd.winnf.com/crlserver.crl

Could you please confirm, why this OCSP URL is needed in this certificate.

Regards, Pawan Jangid

idanrazisr commented 6 years ago

Hi Pawan, for revoked certificates the device checking the certificate status can use either OCSP or CRL so I put both inside the certificate. This is also according to WINNF-TS-0022 v1.1.0 CBRS PKI. Currently for testing purposes we will go with the CRL method (SAS vendors are also using the CRL method for now), but the X.509 certificate has both OCSP and CRL.