What are the risk moments here? Why this clause was put in? -- Konrads Smelkovs Applied IT sorcery.
On Tue, Mar 23, 2010 at 8:21 PM, Patrick Patterson < ppatter...@carillonis.com> wrote: > Hi Konrads: > > No, in order for trust model 2 to work, the OCSP responder would have to be > signed by the intermediate CA, not the root CA. > > The "Root CA is authoritative to delegate OCSP responses over the entire > subCA > tree" (which is the model you are using), is unsupported under RFC2560. > > Change your OCSP responder to use a certificate signed by the SubCA, and > everything will work. > > Best Regards, > > Patrick. > > On March 23, 2010 01:07:52 pm Konrads Smelkovs wrote: > > Hi, > > The OCSP responder has EKU=OCSP: > > > > X509v3 extensions: > > X509v3 Subject Key Identifier: > > > 2B:6E:08:08:9D:92:5A:59:CB:BB:46:89:77:E8:A0:17:47:82:88:5C > > X509v3 Extended Key Usage: > > OCSP > > X509v3 Key Usage: > > Digital Signature, Non Repudiation > > X509v3 Authority Key Identifier: > > > > keyid:CC:C3:F5:66:FF:73:AC:38:5A:96:1B:21:89:B8:81:4C:1F:CB:5E:25 > > I attached OCSP cert. I believe this is setup #2 you described. > > -- > > Konrads Smelkovs > > Applied IT sorcery. > > > > On Tue, Mar 23, 2010 at 5:39 PM, Dr. Stephen Henson > <st...@openssl.org>wrote: > > > On Tue, Mar 23, 2010, Konrads Smelkovs wrote: > > > > Hello, > > > > > > > > I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for > which > > > > I want to check OCSP response. > > > > Root chain is added to root list. OpenSSL says all of it is OK: > > > > Chain has three level architecture - Root which Signs OCSP & Policy, > > > > > > Policy > > > > > > > which signs issuing CA which signs subscriber CA. > > > > > > > > $ openssl verify ksmelkovs.pem # Cert to verify > > > > ksmelkovs.pem: OK > > > > > > > > $ openssl verify tssp.pem # OCSP responder cert > > > > tssp.pem: OK > > > > > > > > $ openssl verify cacers/*vas*rca*pem > > > > cacers/vas latvijas pasts ssi(rca).pem: OK > > > > > > > > > > > > $ x509 <ksmelkovs.pem -text |grep ocsp > > > > OCSP - URI:http://ocsp.e-me.lv/responder.eme > > > > $ x509 <ksmelkovs.pem -text |grep Issue > > > > Issuer: C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790, > > > > OU=Sertifikacijas pakalpojumi, CN=VAS Latvijas Pasts SI(CA2) > > > > > > > > $ ocsp -issuer cacers/*ca2*pem -cert ksmelkovs.pem -url > > > > http://ocsp.e-me.lv/responder.eme > > > > *Response Verify Failure > > > > 5083:error:27069070:OCSP routines:OCSP_basic_verify:root ca not > > > > trusted:ocsp_vfy.c:148: > > > > *ksmelkovs.pem: good > > > > This Update: Mar 23 11:29:33 2010 GMT > > > > konr...@konrads-laptop:~/Sertifikati$ openssl verify ksmelkovs.pem > > > > ksmelkovs.pem: OK > > > > > > > > Copies of these certs are uploaded here: http://drop.io/lykqq21# > > > > > > > > > > > > The 64k USD question: If I have entire trust chain in trusted list, > > > > then > > > > > > why > > > > > > > would it complain? > > > > > > There are two automatic trust models for OCSP responder certificates. > One > > > is > > > the CA key that signed the certificate also signs responses: that isn't > > > recommended for security reasons. The other is that the CA signs a > > > responder > > > certificate with an OCSP signing EKU extension and responses are signed > > > by the > > > corresponsing private key. > > > > > > Your setup doesn't seem to cover either case. You can explicitly trust > > > the responder certificate with the -VAfile option or add explicit OCSP > > > signing trust to the root. > > > > > > Steve. > > > -- > > > Dr Stephen N. Henson. OpenSSL project core developer. > > > Commercial tech support now available see: http://www.openssl.org > > > ______________________________________________________________________ > > > OpenSSL Project http://www.openssl.org > > > User Support Mailing List openssl-users@openssl.org > > > Automated List Manager majord...@openssl.org > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >