From: [EMAIL PROTECTED] (Peter Gutmann)
pgut001> That may be a Netscape-ism, in earlier (and possibly still
pgut001> current) versions of their OCSP client they did something
pgut001> funny like requiring that responses be signed by some CA cert
pgut001> directly involved in issuing the cert, rather than a special
pgut001> OCSP responder cert like other vendors seem to be using.
"rather than" is perhaps not what you really meant. Both are correct
options accordning to RFC2560, section 2.2 (Response):
[...]
All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating
that the responder may issue OCSP responses for that CA
According to what you say, Netscape required the first variant (which
is of course not sufficient to be RFC-compliant), while the other do
the second, or is it the third or both?
--
Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
