From: Dr S N Henson <[EMAIL PROTECTED]>
drh> Yes, you need to add the CA to the trusted store and change the trust
drh> setting of the root CA to support OCSPSigning then it will verify for
drh> any issuer CA in the OCSP request. This is intended to support the
drh> "global responders" which give info about multiple CAs and have a
drh> separate certificate chain.
Are we talking about the same thing? In RFC2560 section 2.2, the
following possible signers are listed:
All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating
that the responder may issue OCSP responses for that CA
I'm talking about the "Trusted Responder", and what I want to be able
to do is tell OpenSSL in my client is that one specific certificate
given by me shalle be used to verify the signature. This has nothing
to do with chain verification, it's just about the verification of the
response signature, since I've already told it what public key I
trust.
I definitely do *not* want to have to tell OpenSSL that I trust the CA
of my "Trusted Responder" certificate, because that might imply that I
trust any certificate that CA has produced.
What you seem to talk about is the "CA Designated Responder"
certificate, which is a completely different story.
--
Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: cvs commit: openssl/crypto/ocsp ocsp.h ocsp_err.c ocsp_vfy.c
Richard Levitte - VMS Whacker Tue, 23 Jan 2001 05:02:11 -0800
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... Oscar Jacobsson
- Re: cvs commit: openssl/crypto/ocsp... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... rsalz
- Re: cvs commit: openssl/crypto/ocsp... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp... Oscar Jacobsson
- Re: cvs commit: openssl/crypto/ocsp ocs... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... Dr S N Henson
