Hi Thomas, when I started to test my CA I ran into similar problems in understanding the difference. Perhaps this hint will also help you a little bit: When you want to check a certificate you have to do 2 things: - check via OCSP or CRL => the certificate is revoked or not - if not revoked => calculate the hash of the certificate, decrypt the signature of the certificate and compare both values, if they are equal the certificate was really created by the CA (prove of existence if you want to call it like that).
Kind regards, Matthias On 3/30/07, Massimiliano Pala <[EMAIL PROTECTED]> wrote: > ThBeckmann wrote: > > Hi Massimiliano, > > > > thanks for your respons. > > It clearifies a little bit but... I am not quite sure about the difference > > of "good" and "unknown". Even reading the rfc isn't very helful. > > Yes, I know...I've been reading it for quite a few years and still there are > some parts which are open to interpretation... :( > > > What more does the ocspd know of a certificate when he responds "good" > > compared with an "unknown" response? From my point of view he knows that the > > cert is not on the crl but in both cases he seems to know nothing else about > > the cert... Where's the difference? > > The Unknown means that the responder does not have information about the > revokation status of that certificate. Basically this means that the responder > is not giving responses for the requested certificate. My take is that the > responder does not provide responses for the issuing CA, i.e. the certificate > is not issued by one of the configured CAs in the OCSP. > > > You see, I'm a little bit confused with that. > > The OCSP is a very easy service to setup, but the RFC, as it is written, is > open to several interpretation and you need to have some background > `unwritten' > knowledge to setup a responder correctly.... :( > > I hope this clarifies your doubts. > > Cheers, > Max > > > -- > > Best Regards, > > Massimiliano Pala > > --o------------------------------------------------------------------------ > Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] > [EMAIL PROTECTED] > > Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 > PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179 > --o------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
