On Sat, 2013-04-27 at 17:37 +0000, Tom Ritter wrote: > I have what may be a well tread topic in the nuances of OCSP Stapling > - but after having it posed to me I realized I did not know the > answer. Thus, I ask publicly in the hope that there is a simple > answer I can point to in the future. > > If a CA uses a delegated signer for OCSP, and a website delivers an > OCSP Staple... How does the user (talking only to the website) get > > - The Delegated Signing Cert (which is presumably an Intermediate off > a Trust Root) > - The revocation information for *that* Intermediate cert
See the definition of an OCSPResponse in RFC 2560. An OCSPResponse may contain an optional sequence of additional certificates. This is the place to transport the delegated signing cert. In my understanding, if you request status for a certificate C1, which was signed by a CA1, and the CA1 choses to use a delegated signing cert C2, then both C1 and C2 must have been signed by the same CA1. Although an OCSP response can contain only information related to one CA, the signed data inside the OCSPResponse contains a sequence of one or more entries of type SingleResponse. It guess this sequence could contain status entries for both C1 and C2. I wonder if an OCSP responder using a delegated signing cert should always include status information for the delegated signing cert, too. Kai _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
