From: Dr S N Henson <[EMAIL PROTECTED]>
drh> > -- the CA who issued the certificate in question
drh> > -- a Trusted Responder whose public key is trusted by the requester
drh> > -- a CA Designated Responder (Authorized Responder) who holds a
drh> > specially marked certificate issued directly by the CA, indicating
drh> > that the responder may issue OCSP responses for that CA
drh> >
drh> > I'm talking about the "Trusted Responder", and what I want to be able
drh> > to do is tell OpenSSL in my client is that one specific certificate
drh> > given by me shalle be used to verify the signature. This has nothing
drh> > to do with chain verification, it's just about the verification of the
drh> > response signature, since I've already told it what public key I
drh> > trust.
drh> >
drh>
drh> Well that's something next on the list. You can pass in a list of "extra
drh> certificates" in the verify function and some flags. One flag will be
drh> "automatically trust these and don't try to verify them".
:-) Actually, for the "Trusted Responder" case, one shouldn't even
need to handle an OCSP signing certificate. Read that line again, all
it says is "pubkey". It says absolutely nothing about certificates in
that particular case. I could as well configure my client software
with a key.pem that contains exactly this:
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
... and it should be happy with that. That's what RFC2560 really
implies. One would just do it via certificates because it's more
comfortable that way...
--
Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: cvs commit: openssl/crypto/ocsp ocsp.h ocsp_err.c ocsp_vfy.c
Richard Levitte - VMS Whacker Tue, 23 Jan 2001 07:42:37 -0800
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Oscar Jacobsson
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... rsalz
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... Oscar Jacobsson
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocs... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Richard Levitte - VMS Whacker
- Re: cvs commit: openssl/crypto/ocsp ocsp.h o... Dr S N Henson
- Re: cvs commit: openssl/crypto/ocsp ocs... Richard Levitte - VMS Whacker
