Hi Alicia,
You don't need to add any special extensions to root
certificates to say that the CA does OCSP. You basically need to
add the AIA extension in the end entity (EE)/CA certs that you issue,
to tell relying parties (RP) where to look for the OCSP server to
find the status of the EE certificate.
Also, when you run your OCSP server, you need to issue it a
special certificate with the OCSP signing property for Extended
Key Usage (and optionally the OCSP-nocheck extension).
Hope this helps,
Regards,
Ambarish
P.S. This response doesn't take into account any special or
different processing that might be done in the Netscape
implementation (if any).
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. [EMAIL PROTECTED]
339 N. Bernardo Ave. http://www.valicert.com
Mountain View, CA 94043
> -----Original Message-----
> From: Alicia da Conceicao [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 23, 2000 1:58 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: X509v3 extensions for root CA certs to support OCSP?
>
>
> > You can do this via the authority information access extension. The
> > format is undocumented but something like:
> >
> > authorityInfoAccess= OCSP;URI:http//some.oscp.server/whatever/path
>
> Dear Steve:
>
> Do you have the object identifers for this? Do you know of
> any sources
> of info I can look at about this extension. I can't find any mention
> of it in RFC 2560. It is required in the root CA certs or will it
> work with it only added into the issued certs signed by the CA (so
> that the root CA certs don't need any OCSP extensions).
>
> > However if you do this and you never run an OCSP server this is
> > obviously a bad idea.
>
> Netscape doesn't support it yet, and it will be turned off by default
> in Mozilla 6.0. So we have time to fully impliment OCSP by the time
> Netscape puts out future releases with OCSP on by default.
>
> Besides, might it be possible to specify OCSP support in the
> individual issued certs signed by the CA? So that software using
> those issued certs signed by OSCP root CA certs, will only contact
> an OCSP server depending only whether the apropriate extensions are
> within the issued certs signed by those CA's.
>
> Thanks in advance.
> Alicia.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
