Re: [Openca-Users] OCSPD a fix and a question

Tue, 18 Jul 2006 01:33:52 -0700 

Damir Dzeko wrote:
> Hi Massimiliano
[...]

Thanks for the patch, I will fix it...

> And a question - I have a CRL and CA certificate that has been created
> by some other CA -- not OpenSSL CA -- and because of that, I do not have
> index.txt database.
> 
> How can I use your OCSPD in such configuration? Do I have to manually
> create some index.txt based on CRL file or some other data that can be
> extracted from CA's database or can I go without it if I find it ok
> just to serve "revoked" and "unknown" as answers to OCSP queries.

Latest version of OCSPD does not use the index.txt to overcome this
problem and to be able to answer for CAs you directly do not manage
(you can just download the CA cert and the latest CRL from different
sources, e.g. http or ldap).

By the book responses from OCSPD are, basically three "revoked", "valid"
or "unknown". The OCSPD will respond as follows:
* revoked - if the certificate is present in one of the loaded CRLs
* valid - if the certificate is issued by one of the configured CAs
   but it is not present in the CRL
* unknown - if the certificate has been issued by a CA which is not
   configured in the OCSPD

For "suspended" certificates, the extension "onHold" in the CRL should
be set (the OCSP will copy that extension to the response).

Does this help to clarify the operations of the OCSPD ?
If you have further questions, just ask :-D

-- 

Best Regards,

        Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]            [EMAIL PROTECTED]
                                                  [EMAIL PROTECTED]

Dartmouth Computer Science Dept               Home Phone: +1 (603) 397-3883
PKI/Trust
--o------------------------------------------------------------------------

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to