Joe Orton wrote: > Many thanks for the detailed response! Everything taken on board, with > one further question: > > On Thu, Nov 29, 2007 at 09:35:40PM +0000, Dr Stephen Henson wrote: > ... >> OpenSSL supports #1 and #2 directly so these should be automatic if the >> OpenSSL OCSP API has been used correctly. >> >> A limited form of #3 is implemented in OpenSSL. A generalised version >> might be more appropriate in some circumstances but would need >> additional configuration options to implement. > > Making the responder signature verification configurable in mod_ssl > would just involve setting up a different set of trusted certs in an > X509_STORE_CTX and passing that as the context parameter to > OCSP_basic_verify(), right? (When you say "OpenSSL supports...", I > wonder if there is something more subtle here) >
There isn't any need to have a separate store really. A set of root CAs for different purposes can share a common store with each one given an appropriate set of trust settings. These can be edited using the OpenSSL 'x509' utility. The idea here for example is that a root CA can be labeled as trusted for client authentication or server authentication only. To retain compatibility with root CAs without trust settings most are on by default. OCSP signing is an exception which is off by default. When a root has OCSP signing trust enabled any chain leading to it can be used to sign arbitrary OCSP requests. This is a specific case of #3 where a special chain is used as a "global responder" which is trusted to give status information about any CA. There's some more info about this at: http://www.openssl.org/docs/apps/ocsp.html#OCSP_Response_verification_ In some cases that is too wide and restrictions on the set of CAs a given chain can authorise is more appropriate. We could in future extend the OpenSSL trust settings to authorise chains only for specific CAs (e.g. by OCSP IDs). That would probably make the need for separate per-CA configuration options in mod_ssl unnecessary. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
