|
Hi, According to Item 3 of Section 3.2 of RFC2560, OCSP clients should confirm that "the identity of the signer matches the intended recipient of the request" before accepting a signed OCSP response. Can I ask how this can be achieved by the client? It is not quite as simple as it seems, since the OCSP client may not know the identity of the OCSP responder in advance, but only have an address of where the OCSP responder is located (e.g. from the AIA extension of the certificate whose revocation status is being checked). Thanks and my apologies if this has already been covered before. Regards, Liaquat Khan |