Many thanks for the detailed response! Everything taken on board, with one further question:
On Thu, Nov 29, 2007 at 09:35:40PM +0000, Dr Stephen Henson wrote: ... > OpenSSL supports #1 and #2 directly so these should be automatic if the > OpenSSL OCSP API has been used correctly. > > A limited form of #3 is implemented in OpenSSL. A generalised version > might be more appropriate in some circumstances but would need > additional configuration options to implement. Making the responder signature verification configurable in mod_ssl would just involve setting up a different set of trusted certs in an X509_STORE_CTX and passing that as the context parameter to OCSP_basic_verify(), right? (When you say "OpenSSL supports...", I wonder if there is something more subtle here) joe
