Jan Pechanec wrote: > On Fri, 21 Dec 2007, Huie-Ying Lee wrote: > > hi Huie-Ying, > >> If the number of OCSP responses does not correspond to the number of >> certificates, then it is >> not easy to decide the mapping between the certificates and the >> responses. A response file > > I think that we can't force the situation where we have an OCSP > single response for each certificate. Every CA on the way can have a > different policy so some might not use OCSP at all but CRL only.
Most commonly, I would expect only a single CA, or at most maybe 2, to be involved. But, theoretically, I think you are correct, there *could* be many CAs with different policies. > >> If there is only one response file for the entire chain, then it is OK, >> because in this situation, >> we can safely assume that this response file is for all the >> certificates in the chain. > > I think that if the OCSP response list was "sorted" according to the > list of certificates then it's not a problem if some OCSP responses are > missing. It's not O(n^2) but O(n) then. > > I also thing that it would be better to get certificates and > responses in pairs in SSH protocols, where OCSP part would be optional. I > approached IETF SSH list with that. Do you think that if you got an array of > certificate/response pairs (response optional) that it would be better for > you? > > cheers, Jan. Yes, it would certainly make the processing faster if the response was included with each cert. -Wyllys
