Taking this discussion out of bugzilla. As implemented currently the
OCSP validation is working like this:
1) trusted store T initialized with root certs configured via SSLCA*
2) foreach cert in chain from (root...client certificate):
a) verify cert is signed by trusted cert (or, is transitively so)
b) if so, perform OCSP validation on cert as follows:
i) pick a responder, exchange OCSP messages
ii) verify signature of OCSP response against certs in trusted
store T
I'm not familiar with how OCSP is typically deployed; my questions are:
a) is it acceptable to assume that the same set of trusted certs is used
to verify the signature of the OCSP response as is used to verify the
client cert itself? Or do these need to be separately configurable?
b) does it really make sense to be doing OCSP validation individually on
each cert in the peer's cert chain? Marc mentioned an issue with a
compromised intermediary cert; but I want to be sure I understand this
properly. Can someone explain the exact threat model which checking the
whole chain would be necessary for?
c) Steve mentioned some responders don't accept requests with nonces.
What is a sane default? Send nonces (more secure), or not (better
interop). From reading the RFC it looks like mod_ssl should also be
checking the validity times from the OCSP response, which would help, I
guess.
Regards,
joe
