Alicia da Conceicao wrote:
>
> My contacts at Netscape mentioned that a few CA'a like Versign have
> issued new root CA certs that support the new OCSP (Online Cert Status
> Protocol), specified in RFC 2560. He also mentioned that OCSP support
> will not only be included in future Netscape browser/messenger
> releases, but will be also turned on (enabled) by default.
>
> Because of this, we think it is wise for us to also add OCSP support to
> our root CA certs. The folks at Netscape mentioned that I only have a
> few days to resubmit replacement root certs with OSCP support, in
> order to make the cutoff for the Mozilla 6.0 release. If we add OCSP
> support to our root certs by the cutoff, it would avoid having to
> reissue our root certs in a year or so. Unfortunately they did not
> give me any idea how to do this.
>
You can do this via the authority information access extension. The
format is undocumented but something like:
authorityInfoAccess= OCSP;URI:http//some.oscp.server/whatever/path
should do it. You might want to see if Netscape attempts to access this
URI when you load the CA and/or when you verify a message containing a
certificate signed by the CA.
However if you do this and you never run an OCSP server this is
obviously a bad idea.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]