On 27/04/13 18:37, Tom Ritter wrote:
I have what may be a well tread topic in the nuances of OCSP Stapling
- but after having it posed to me I realized I did not know the
answer. Thus, I ask publicly in the hope that there is a simple
answer I can point to in the future.
If a CA uses a delegated signer for OCSP, and a website delivers an
OCSP Staple... How does the user (talking only to the website) get
- The Delegated Signing Cert (which is presumably an Intermediate off
a Trust Root)
- The revocation information for *that* Intermediate cert
Tom, RFC2560 deals with this issue (see section 4.2.2.2.1).
Public CAs that use delegated OCSP signing should follow the CABForum
Baseline Requirements (section 13.2.5):
"the OCSP signing Certificate MUST contain an extension of type
id-pkix-ocsp-nocheck, as defined by RFC2560."
Delegated OCSP signing certificates are end-entity certs, not
Intermediate certs.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
