Richard Levitte - VMS Whacker wrote:
>
> From: [EMAIL PROTECTED]
>
> steve> + *) Add additional OCSP certificate checks. These are those specified
> steve> + in RFC2560. This consists of two separate checks: the CA of the
> steve> + certificate being checked must either be the OCSP signer certificate
> steve> + or the issuer of the OCSP signer certificate. In the latter case the
> steve> + OCSP signer certificate must contain the OCSP signing extended key
> steve> + usage. This check is performed by attempting to match the OCSP
> steve> + signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
> steve> + in the OCSP_CERTID structures of the response.
> steve> + [Steve Henson]
> steve> +
>
> I don't recall, and don't have good access to the source right now:
> does verification also work with VA certs, that is, completely
> separate signer certificates that you configure on the client end as
> well as the server end?
>
Yes, you need to add the CA to the trusted store and change the trust
setting of the root CA to support OCSPSigning then it will verify for
any issuer CA in the OCSP request. This is intended to support the
"global responders" which give info about multiple CAs and have a
separate certificate chain.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
