[EMAIL PROTECTED] wrote: > Massimiliano, Hi Thomas,
> we are currently working on an OCSP responder based on OpenCA-OCSP. The > ocspd shall take an ldap as his underlying information base. > > Taking openssl as a client I get the following result: > > ----------------------------------------------------------------------------- > C:\Programme\OpenSSL\bin>openssl ocsp -issuer > c:\Programme\OpenSSL\bin\certs\cert.pem -serial 1001 -url > http://161.90.190.254:2560 -noverify > 1001: WARNING: Status times invalid. > 2476:error:2707307E:OCSP routines:OCSP_check_validity:status not yet > valid:.\crypto\ocsp\ocsp_cl.c:329: > unknown > This Update: Mar 30 14:15:01 2007 GMT > Next Update: Mar 30 14:20:01 2007 GMT > ----------------------------------------------------------------------------- This seems like a clock-skew error, check that the server and the client clocks are alligned. It seems the response has a validity time in the future... > Our question is, how the ocspd identifies a certificate in the ldap > directory? How does he know, that a certificate exist?... and the > ncertificate with serial number 1001 does :) Well, it does not indeed. The OCSP is thought to provide information about the revocation status of a certificate, not its validity status. It is a subtle difference, but it is important. For checking the validity of a certificate, you may want to look at more complex services like SCVP. Anyhow, for this reason, the OCSP is built on the revocation info only (i.e. the issued CRLs). This means that a response "Good" from the OCSP means that the certificate is not present among the revoked ones, i.e. it is not present within the CRL. I hope this clarifies a little bit how the OCSP works. Let me know if you have more doubts! Cheers, Max -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] [EMAIL PROTECTED] Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179 --o------------------------------------------------------------------------ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
