|Applies To||Keon Certificate Authority 6.5.1|
OCSP - Online Certificate Status Protocol
|Issue||Expired certificate returns Good with OCSP client|
|Resolution||The OCSP client is working properly. If you look at the actual RFC http://www.ietf.org/rfc/rfc2560.txt you will see that "good" does not necessarily mean the certificate exists or is currently valid. "Good" only means the certificate is not on the CRL. This is considered ok because the relying application should check the signature (to ensure it is a real cert) and the validity period before asking OCSP for the status. Microsoft applications and others do that. Text from RFC 2560 pasted below:|
This specification defines the following definitive response indicators for use in the certificate status value:
The "good" state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval.
|Legacy Article ID||a35271|