[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: OCSP authorized responder clarification.
Hi Steve,
You are absolutely right - the CA needs to directly authorize
the OCSP responder to respond on its behalf. The fact that the
root authorized you to respond doesn't allow you to respond for all
CAs certified by that root in the CA delegated trust model of OCSP.
Regards,
Ambarish
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ambarish@xxxxxxxxxxxx
339 N. Bernardo Ave. http://www.valicert.com
Mountain View, CA 94043
> -----Original Message-----
> From: Dr S N Henson [mailto:drh@xxxxxxxxxxx]
> Sent: Monday, January 08, 2001 4:34 AM
> To: PKIX-List
> Subject: OCSP authorized responder clarification.
>
>
> In RFC2560 4.2.2.2 the certificate signing an OCSP request is valid if
> it:
>
> > 3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage
> > extension and is issued by the CA that issued the certificate in
> > question."
>
> A certain CA issues end user certificates signed by an intermediate CA
> which is in turn signed by the root CA.
>
> The responder certificate is signed by the root CA. Does this, as
> appears to be the case, mean that the above condition does not apply
> because the OCSP reponder certificate is not signed by the
> intermediate
> CA?
>
> Alternatively is the condition satisfied because they both
> have the same
> root CA?
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: shenson@xxxxxxxxxxxxxxxxxxxxxxxxxxx
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: drh@xxxxxxxxxxx PGP key: via homepage.
>