Following up with answers I found in case someone later is looking for
information and finds this thread.
On Sunday 11 November 2007, Chris Knadle wrote:
> Questions I'm currently working to answer:
> - Can the OCSP responder handle responding for the CA key itself?
It can.
> - What is required to list the OCSP URL in the Root CA key?
The OCSP Responder URL is listed in the authorityInfoAccess attribute.
> - If an OCSP responder URL is listed, can a URL for CRLs still be
> listed? I.E. is it "one-or-the-other" but not both?
It seems to be recommended to list and do both.
A URL for CRLs should be listed in the cRLDistributionPoints attribute.
The attributes nsCaRevocationUrl, nsCaPolicyUrl, nsRevocationUrl, and
nsPolicyUrl are all deprecated, which makes sense because in this context ns
stands for "Netscape". Use of the nsComment attribute is discouraged but
seems to be commonly used anyway because the attribute value is viewable.
Implementation details and relevant documents can be found from search
engines by searching for the string:
"OCSP authorityInfoAccess extendedKeyUsage"
-- Chris
--
Chris Knadle
[EMAIL PROTECTED]
_______________________________________________
Mid-Hudson Valley Linux Users Group http://mhvlug.org
http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug
Upcoming Meetings (6pm - 8pm) MHVLS Auditorium
Oct 3 - Security and Privacy
Nov 7 - Django Python Application Framework
