Re: [OpenCA-Devel] OCSP

Wed, 27 Sep 2006 13:15:14 -0700 

Philipp Gühring wrote:

Hi,


Hello!


I have 2 questions:

In the RFC I read:

[...]

How can we do that with OCSPD? Is there an option to set the reply for 
specific CA key to always respond with revoked? (No, we don´t have the 
problem yet, but I would like to be prepared)


Well... you can not at the moment. There is no keyword that let you
specify a CA has been compromised. But, it is very easy to implement,
so let's do it...

        ... That is the beauty of the Open Source... :-D

Now I just started the building process... finished. Now you should add to
the CA section the keyword 'ca_compromised', like this:

        ca_compromised = yes

this should cause the responder to respond properly according to the RFC.
(I did not tested the behavior, please let me know if the server works
properly with the modified version... :-D)


Second question:

If I have Sub-CA´s, and the OCSPD should answer for Sub-CA´s certificates.

[...]

This certificate MUST be issued directly by the CA that issued the
certificate in question.


This is kinda stupid, to me. It should be possible for a responder (if
properly trusted by the client) to respond for different CAs also if the
CAs have not issued a certificate for them. For example if I run a Root
CA that provide an OCSP service for all the CAs in the hierarchy it should
be possible for the root CA to do that without having each subCA to issue
a certificate for the OCSP. Shall we promote a change in the RFC ?


Ok, so we have to have one OCSPD certificate *per* RootCA+SubCA we are 
running, and we have to tell the OCSPD to use them accordingly.


Maybe we could extend the OCSP to use a different cert+key for each CA
you configure... it is not difficult to do that...


I guess both questions should be put in the FAQ / Documentation of OCSPD.


Thanks! :-D

Cheers,
Max.




Attachment:
ocspd_1.1.2_mod_files.tar.gz

Description: application/gzip


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel














    











					Reply via email to