[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CA=True for an OCSP certficat
Title: RE: CA=True for an OCSP
certficat
At 8:15 PM -0400 4/2/08, Santosh Chokhani wrote:
Steve,
I agree with you the time stamp server.
But, under RFC 2560, one of the model is for the CA (and I
interpret
that to mean using the same key that signed the certificate whose
revocation status is being checked) to sign the OCSP response.
Hence
CA certificate signing key can be used
for OCSP signing.
Whoops, you're right. I had not looked at 2560, but 4.2.2.2 says
explicitly that the response can be signed using the same key that was
used to issue the cert, the status of which is being checked (although
it sates this in a rather backwards fashion :-)).
Peter also pointed me to text in 3280, in the discussion of Basic
Constraints that clearly indicates that it is OK for a CA cert to be
used to verify non-cert and non-CRL data, in the case of cert
enrollment protocols:
This extension MAY
appear as a critical or non-critical extension in CA certificates that
contain public keys used exclusively for purposes other than
validating digital signatures on certificates. Such CA
certificates include ones that contain public keys used exclusively
for validating digital signatures on CRLs and ones that contain key
management public keys used with certificate enrollment
protocols.
Steve