Re: OCSP nonce was: RE: cvs commit: openssl/ssl s3_lib.c ssl.hssl_algs.cssl_ciph.cssl_locl.h tls1.h

Mon, 12 Feb 2001 09:08:55 -0800 

Florian Oelmaier wrote:
> 
> > So you are precomputing the OCSP responses for *every* certificate every
> > two minutes? Yes that would require that you only have a small number of
> > certificates. It would also require that you prohibit multiple queries
> > in a request otherwise the number of responses you would need to
> > precompute could get rather large.
> 
> Are there any clients out there doing multi-certificate OCSP-requests?
> 

apps/ocsp.c can and I've been using it to check what various responders
do. In fact you can do all manner of strange things with the OpenSSL
ocsp utility. Perhaps there should be a competition to see how many
responders can be crashed with it :-)

Here's what the current responders do.

A couple handle it cleanly and provide a correct response with status
information about each certificate.

One silently ignores anything after the first request.

Another returns malformedRequest.

> And - to contribute to that past-expierience thing - responders tend to
> behave more weird for multi-certificate OCSP-requests!
> 

Yes they are weird enough for single requests. Its a pity because being
able to query multiple certificates at once would be a way to reduce
responder load.

An issue is how to handle response verify for queries about multiple
CAs.

The two examples that work are both effectively global VAs which are
trusted by "out of band means" and no problems arise.

At first sight handling delegated signing with multiple CAs is not
permissible. Well maybe it is but if someone does that I'd rather not to
try to code delegated verify for that case :-(

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to