Re: [OpenCA-Devel] ocspd

Mon, 25 Feb 2002 07:18:00 -0800 

Michael Bell wrote:
> 
> Hi,
> 
> I looked for the first time on the code of the ocspd and now I have some
> questions:
> 
> 1. Did the ocspd using index.txt only?

Yes, currently all the data is gathered from the index.txt. A provided
example should be found in the examples/ directory. This is simply
the openssl's typical file where certificate's data is kept.

> 2. The RFC requires that a suspended cert is not valid. How we want to
> reflect this? Should we generate index.txt on the RA but interpret
> SUSPENDED like REVOKED?

Indeed on the IETF, to me, there is some "confusion" about what a
suspended certificate really is. There have been several discussions about
that and what is currently thought about suspension is that you have
to issue a CRL with the onHold extension with an entry for the certificate
you want to suspend.

I had suggested the adoption of a "CSL" (Certificate Suspension List) for
there are clients that do not support correctly CRL's extesions (Netscape... )
and for the fact that we "revoke" a certificate by putting it on the CRL
authorize those clients to retain it revoked.

To correctly reflect this we can generate an index.txt that will report
revocation extension within it or we can simply adopt the usage of an
'S' (besides the normally adopted "V","R" or "E") to indicate that it
has been suspended. I can not remember the rfc2560 exactly but it can be
generated a response with the NID_hold_instruction_code reason (actually
the code already is capable of doing it).

> 3. Where should we generate index.txt (see 2)?

On the RAServer. We could have:

        1. A function to generate the index.txt from scratch using
           the current OpenCA db -- updateOCSP;

        2. When updating the OpenCA dbms we could update the index.txt
           too by adding new certs or modifying entries (on new certs
           import or CRL import);

-- 

C'you,

        Massimiliano Pala

--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]               madwolf at cpan.org
                                                       madwolf at openca.org
http://www.openca.org                             madwolf at hackmasters.net
http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to