István Zsolt BERTA wrote, On 2008-10-07 07:07: > As I see we all agree on the fact that a 'trusted responder' can exist > according to RFC 2560, and it is possible that an OCSP responder > certificate is under a separate root. (There are various scenarios for > providing OCSP service, it can be provided by a CA directly or by > proxy responders, etc. but RFC 2560 does not deal with such issue.) > > Thus, I refuse any statement that would claim that our solution is not > RFC 2560 conformant.
It is conformant IF and only IF the user (not the CA) chooses to trust that responder. If the CERTIFICATE issued by the issuer says to go to that responder for OCSP, but the responder's cert is not either a) the the issuer's cert, or b) a cert issued by the same issuer as the cert under test, then it is not conformant. The RFC is very clear about that. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
