Re: OCSP request/response signing

[Howard Chan]

Dear all (Bob),   Thank you.  I see evidence of response verification and OCSP client/server works fine, I know.  However, I'm still unclear with the relationships between the : 1) CA root cert which signed the certs I'm checking the status on, 2) OCSP request signing cert from client, 3) OCSP request verification cert from server, 4) OCSP response signing cert from server, and finally 5) OCSP response verification cert from client.   I'm using version 0.9.7 beta 3 right now.   Please also view my comments below.....   Thank you.   - Howard   ----- Original Message ----- From: Bob Kupperstein To: [EMAIL PROTECTED] Sent: Tuesday, October 29, 2002 11:09 PM Subject: RE: OCSP request/response signing Here’s my understanding, and it seems to work using the OpenSSL OCSP client and responder, provided the appropriate certificates are installed in the right places (I’m using a 0.9.7 stable release from 9/02.   -Bob   -----Original Message----- From: Howard Chan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 29, 2002 6:11 AM To: [EMAIL PROTECTED] Subject: OCSP request/response signing   Hello all,   I'm working with Openssl 0.9.7beta3's OCSP command, both client and server.   I'm a bit puzzled with how to establish the following :   1.  Signed requests from client   The OCSP request should be signed by a CA that is known by the responder.   HCHAN>>So I should sign the requests with the CA cert????  (ie. cacert.pem)  Weird!   2.  Request verification from server   The responder can verify the request if it has the CA certificate of the CA that signed the OCSP request.   HCHAN>>I see no evidence from the Request/Response output of any Request verification.  How do I know it's doing this?   3.  Signed responses from server   The OCSP response should be signed with a specific certificate that is known by the client, or by any certificate signed by a CA known by the client.   HCHAN>>From defining "-rsigner" of my ocsp server command, I MUST point it to a cert which is signed by the root CA (which signed the cert I'm checking the status for), and this cert must also contain the corresponding private key.  Am I right or wrong here?   4.  Response verification from client   The OCSP client can accept a VA certificate argument (a known certificate from a particular responder that is used as the response certificate) or a CA certificate argument (specifying which CA is signing the OCSP response).   HCHAN>>I'm not sure whether to use "-VAfile" or "-CAfile".  Doing what I noted above for "-rsigner", can't I just parse this same cert (it's public portion only) to "-CAfile" or "-VAfile"?  I know it fails when I use "-CAfile" and succeeds with "-VAfile".  I cannot explain why!!  Do you know?