Hi!![...]
and the response is:
certs/03.pem: good This Update: Jul 17 17:49:27 2003 GMT 10: unknown This Update: Jul 17 17:49:27 2003 GMT
So, I think there is a bug in the OpenCA OCSPServer :( or, can anybody explain me this OpenCA OCSPServer behaviour?
Hi,
I have been asking to the IETF people as reading the RFC the unknown status should be used ONLY when the certificate you are trying to get the status of is from a CA the responder does not know anything.
In your case the certificate is supposed to be from the CA issuing the responder's certificate so the right behavior is to send the good status either if the certificate is not issued.
Well, I know it is an idiot behavior but according to the RFC this is the right one. I guess it has been done this way because:
1. Usually you do not verify a certificate you have not
access to, hence it is odd asking for non-available certificate
status 2. You can use the CRL as a backend for the responder. Our server
use the CRL and not the index.txt as it is far more a standard
approach and you can use the responder without requiring the
index.txt: you can have then a CA from any provider, the latest
CRL will do fine to run the responder. Also you can store the
CRL onto LDAP.I hope I have been clear about the choices behind the OCSPd behavior, let me know if there are problems about it.
Anyway the code should be enhanced with more checks on the request, but this is another issue... :-D
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)59 270 094
http://www.openca.org Fax: +39 178 221 8225
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
smime.p7s
Description: S/MIME Cryptographic Signature
