From: Oscar Jacobsson <[EMAIL PROTECTED]> oscar.jacobsson> Richard Levitte - VMS Whacker wrote: oscar.jacobsson> > I definitely do *not* want to have to tell OpenSSL oscar.jacobsson> > that I trust the CA of my "Trusted Responder" oscar.jacobsson> > certificate, because that might imply that I trust oscar.jacobsson> > any certificate that CA has produced. oscar.jacobsson> oscar.jacobsson> Precisely, and that's why we have the key usage oscar.jacobsson> extensions. You wouldn't necessarily want to trust oscar.jacobsson> this certificate to sign anything but OCSP responses. Hmm? If I have specified for my little client that the certificate foo.pem is trusted to verify OCSP response signatures against, why should my client try to tell me otherwise. I think you're mixing things up, assuming you're talking about OCSPSigning, which is for "CA Designated Responder" (also called "Authorized Responder"). oscar.jacobsson> > What you seem to talk about is the "CA Designated Responder" oscar.jacobsson> > certificate, which is a completely different story. oscar.jacobsson> oscar.jacobsson> I don't think so. The CA designated responder, IIRC, oscar.jacobsson> is one where the responder gets his public key signed oscar.jacobsson> by the CA in question (thus "designated") in order to oscar.jacobsson> prove that he is trusted to respond to these queries. Your memory seems to work perfectly on this particular item :-). -- Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cvs commit: openssl/crypto/ocsp ocsp.h ocsp_err.c ocsp_vfy.c
Richard Levitte - VMS Whacker Tue, 23 Jan 2001 05:42:35 -0800
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... Oscar Jacobsson
- Re: cvs commit: openssl/crypto/ocsp... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... rsalz
- Re: cvs commit: openssl/crypto/ocsp... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp... Oscar Jacobsson
- Re: cvs commit: openssl/crypto/ocsp ocs... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp... Richard Levitte - VMS Whacker
