> Date: Sat, 06 Jan 2001 08:25:57 +0100 (MET)
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: Re: OCSP responder addresses?
> From: Richard Levitte - VMS Whacker <[EMAIL PROTECTED]>
>
> From: [EMAIL PROTECTED] (Peter Gutmann)
>
> pgut001> That may be a Netscape-ism, in earlier (and possibly still
> pgut001> current) versions of their OCSP client they did something
> pgut001> funny like requiring that responses be signed by some CA cert
> pgut001> directly involved in issuing the cert, rather than a special
> pgut001> OCSP responder cert like other vendors seem to be using.
>
> "rather than" is perhaps not what you really meant. Both are correct
> options accordning to RFC2560, section 2.2 (Response):
>
> [...]
> All definitive response messages SHALL be digitally signed. The key
> used to sign the response MUST belong to one of the following:
>
> -- the CA who issued the certificate in question
> -- a Trusted Responder whose public key is trusted by the requester
> -- a CA Designated Responder (Authorized Responder) who holds a
> specially marked certificate issued directly by the CA, indicating
> that the responder may issue OCSP responses for that CA
>
> According to what you say, Netscape required the first variant (which
> is of course not sufficient to be RFC-compliant), while the other do
> the second, or is it the third or both?
Nit-pick: The spec says that one of the listed keys must be used.
by the same token it means that _any_ of listed signings is valid.
IF Netscape _required_ the the first varient, and -rejected- anything
using varients 2 or 3, then Netscape is not following the specification.
Which is what the previous writer sems to be implying.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
