[EMAIL PROTECTED] wrote:
>
> I think Oscar's a bit confused.
Quite possibly. :-)
> Richard wants to say
> This is the cert of the OCSP responder I trust
> and that *is all* he wants to say. He does not want/need to verify the
> chain of certs from the responder. (It could be self-signed, it
> could be he has out of band information, etc.)
I think it just boils down to different trust model concepts.
I read "a Trusted Responder whose public key is trusted by the
requester" as one that had been [cross-]certified into my Public Key
Infrastructure. The resulting certificate would then warrant
verification, as validation information could then be carried in-band.
I guess I'm simply more comfortable trusting certificates than public
keys.
//oscar
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
