Hi Massimiliano, thanks for your respons. It clearifies a little bit but... I am not quite sure about the difference of "good" and "unknown". Even reading the rfc isn't very helful. What more does the ocspd know of a certificate when he responds "good" compared with an "unknown" response? From my point of view he knows that the cert is not on the crl but in both cases he seems to know nothing else about the cert... Where's the difference? You see, I'm a little bit confused with that.
Best regards Thomas ----- Original Message ----- From: "Massimiliano Pala" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Friday, March 30, 2007 9:07 PM Subject: Re: [Openca-Users] Questions on ocspd > [EMAIL PROTECTED] wrote: >> Massimiliano, > > Hi Thomas, > >> we are currently working on an OCSP responder based on OpenCA-OCSP. The >> ocspd shall take an ldap as his underlying information base. >> >> Taking openssl as a client I get the following result: >> >> ----------------------------------------------------------------------------- >> C:\Programme\OpenSSL\bin>openssl ocsp -issuer >> c:\Programme\OpenSSL\bin\certs\cert.pem -serial 1001 -url >> http://161.90.190.254:2560 -noverify >> 1001: WARNING: Status times invalid. >> 2476:error:2707307E:OCSP routines:OCSP_check_validity:status not yet >> valid:.\crypto\ocsp\ocsp_cl.c:329: >> unknown >> This Update: Mar 30 14:15:01 2007 GMT >> Next Update: Mar 30 14:20:01 2007 GMT >> ----------------------------------------------------------------------------- > > This seems like a clock-skew error, check that the server and the client > clocks > are alligned. It seems the response has a validity time in the future... > >> Our question is, how the ocspd identifies a certificate in the ldap >> directory? How does he know, that a certificate exist?... and the >> ncertificate with serial number 1001 does :) > > Well, it does not indeed. The OCSP is thought to provide information about > the > revocation status of a certificate, not its validity status. It is a > subtle > difference, but it is important. For checking the validity of a > certificate, > you may want to look at more complex services like SCVP. > > Anyhow, for this reason, the OCSP is built on the revocation info only > (i.e. the > issued CRLs). This means that a response "Good" from the OCSP means that > the > certificate is not present among the revoked ones, i.e. it is not present > within > the CRL. > > I hope this clarifies a little bit how the OCSP works. > > Let me know if you have more doubts! > > Cheers, > Max > > -- > > Best Regards, > > Massimiliano Pala > > --o------------------------------------------------------------------------ > Massimiliano Pala [OpenCA Project Manager] > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > Dartmouth Computer Science Dept Home Phone: +1 (603) > 397-3883 > PKI/Trust - Office 063 Work Phone: +1 (603) > 646-9179 > --o------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
