RE: OCSP request/response signing

[Kumar, Mayank]

I beg to differ on some of the answers below: -----Original Message----- From: Bob Kupperstein [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 29, 2002 8:39 PM To: [EMAIL PROTECTED] Subject: RE: OCSP request/response signing Here’s my understanding, and it seems to work using the OpenSSL OCSP client and responder, provided the appropriate certificates are installed in the right places (I’m using a 0.9.7 stable release from 9/02.   -Bob   -----Original Message----- From: Howard Chan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 29, 2002 6:11 AM To: [EMAIL PROTECTED] Subject: OCSP request/response signing   Hello all,   I'm working with Openssl 0.9.7beta3's OCSP command, both client and server.   I'm a bit puzzled with how to establish the following :   1.  Signed requests from client   The OCSP request should be signed by a CA that is known by the responder. [Mayank] Request can be signed by the requester using a certificate which is signed by any of the responder's trusted CAs. If the responder can directly or through some intermediate CAs can reach a trusted CA, it is fine.   2.  Request verification from server   The responder can verify the request if it has the CA certificate of the CA that signed the OCSP request. [Mayank] Same explaination as above.    3.  Signed responses from server   The OCSP response should be signed with a specific certificate that is known by the client, or by any certificate signed by a CA known by the client. [Mayank] Response should be signed either by CA (CA which issued the certificate in first place) itself, of a special responder's certificate which has been signed by the CA (which issued the certificate in question).     4.  Response verification from client   The OCSP client can accept a VA certificate argument (a known certificate from a particular responder that is used as the response certificate) or a CA certificate argument (specifying which CA is signing the OCSP response). [Mayank] Again, client should directly or through intermediate CAs should be able to trust the certificate of the responder. It shall also check in the responder's certificate if responder is authorized to respond.