[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP authorized responder clarification.

To: "PKIX-List" <ietf-pkix@xxxxxxx>
Subject: Re: OCSP authorized responder clarification.
From: "Liaquat Khan" <liaquat.khan@xxxxxxxxxxxxxxxxx>
Date: Wed, 10 Jan 2001 10:43:12 -0000
References: <>
Reply-to: "Liaquat Khan" <liaquat.khan@xxxxxxxxxxxxxxxxx>

Just to confirm that the GTA has come to the same conclusion.  As such, the
CA which has given authorisation to the OCSP responder is also the one that
issues the OCSP responder with the certificate for its public key.

Within the GTA model, a particular OCSP responder's public key could be
certified by more than one CA.

Directly certifying an OCSP responder has the advantage that one OCSP
responder cannot potentially 'spoof' another OCSP responder within the same
infrastructure.   A root certifying all OCSP responders within an
infrastructure could potentially open up this security concern.

Regards,
Liaquat
----- Original Message -----
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
To: "'Dr S N Henson'" <drh@xxxxxxxxxxx>; "PKIX-List" <ietf-pkix@xxxxxxx>
Sent: Wednesday, January 10, 2001 9:18 AM
Subject: RE: OCSP authorized responder clarification.


>
> Hi Steve,
>     You are absolutely right - the CA needs to directly authorize
> the OCSP responder to respond on its behalf. The fact that the
> root authorized you to respond doesn't allow you to respond for all
> CAs certified by that root in the CA delegated trust model of OCSP.
>
> Regards,
> Ambarish
>
>
>
> ---------------------------------------------------------------------
> Ambarish Malpani
> Architect                                                650.567.5457
> ValiCert, Inc.                                  ambarish@xxxxxxxxxxxx
> 339 N. Bernardo Ave.                          http://www.valicert.com
> Mountain View, CA 94043
>
>
> > -----Original Message-----
> > From: Dr S N Henson [mailto:drh@xxxxxxxxxxx]
> > Sent: Monday, January 08, 2001 4:34 AM
> > To: PKIX-List
> > Subject: OCSP authorized responder clarification.
> >
> >
> > In RFC2560 4.2.2.2 the certificate signing an OCSP request is valid if
> > it:
> >
> > >    3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage
> > >    extension and is issued by the CA that issued the certificate in
> > >    question."
> >
> > A certain CA issues end user certificates signed by an intermediate CA
> > which is in turn signed by the root CA.
> >
> > The responder certificate is signed by the root CA. Does this, as
> > appears to be the case, mean that the above condition does not apply
> > because the OCSP reponder certificate is not signed by the
> > intermediate
> > CA?
> >
> > Alternatively is the condition satisfied because they both
> > have the same
> > root CA?
> >
> > Steve.
> > --
> > Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
> > Personal Email: shenson@xxxxxxxxxxxxxxxxxxxxxxxxxxx
> > Senior crypto engineer, Celo Communications: http://www.celocom.com/
> > Core developer of the   OpenSSL project: http://www.openssl.org/
> > Business Email: drh@xxxxxxxxxxx PGP key: via homepage.
> >
>

References:
- RE: OCSP authorized responder clarification.
  - From: Ambarish Malpani

Prev by Date: RE: OCSP authorized responder clarification.
Next by Date: Re: DPD & DPV requirements
Previous by thread: RE: OCSP authorized responder clarification.
Next by thread: A Curious and Interesting Opportunity!!
Index(es):
- Date
- Thread