Hi, when checking certificates you always have to take two steps: - A CRL or OCSP only tells you if the certificate you got from someone is not listed as revoked - by decrypting the signature of the certificate with the public key of the CA you can check if this certificate was really created by the CA or not
Only checking with OCSP if this certificate was created or not would mean that you have to distribute huge lists with all certificates ever created by a CA to all OCSP responders ... Kind regards, Matthias On Nov 6, 2007 10:21 PM, Bruce Keats <[EMAIL PROTECTED]> wrote: > I didn't write the ocspd, but I am trying to get it to work. > > The response in this case is a valid response. Check out RFC 2560, Section > 2.2, page 2. There is a paragraph that talks about the meaning "good" for > the certificate status in the OCSP response. > > Bruce > > > > On 11/6/07, Dino <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > Thanks Bruce, > > > > > > > > But who is right? > > > > $ openssl ocsp –issuer someCaCert.pem –serial 0xnn – host some:port > > > > Returns status:unkown for non issued serial numbers? > > > > > > > > Best regards > > > > > > > > Dino > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ > > Openca-Users mailing list > > Openca-Users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Openca-Users mailing list > Openca-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openca-users > > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
