On Wednesday 24 March 2010 12:01:51 you wrote: <snip> > > > Well it would typically require giving a public responder access to a > > > CA key: increasing the risk of compromise especially if the private key > > > itself is placed on the server. > > > > Steve, I think it's entirely unfair to label the non-delegated model as > > "not recommended for security reasons" just because *some > > implementations* might give "a public responder access to a CA key". <snip> > Yes sorry I should've qualified that statement. I was attempting to keep > this simple and that always includes the risk of oversimplification.
Steve, thanks for explaining. <snip> > Though of course the delegated trust model can also support pre-produced > OCSP responses. That's true. By the way Steve, I'd like to propose a small change to "openssl ocsp" to support the non-delegated model more seamlessly. I've always been surprised and slightly confused that you have to specify both "-issuer ca.pem" and "- VAfile ca.pem" to verify the signature on a non-delegated OCSP Response. Why doesn't "-issuer ca.pem" cause ca.pem to be treated as a candidate OCSP Response signer certificate? When, a couple of weeks ago, a colleague independently made the same observation and asked me that same question, it spurred me to write a patch. Would you be happy with this change in behaviour? If so, I'll submit my patch to the Request Tracker. > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org Rob Stradling Senior Research & Development Scientist C·O·M·O·D·O - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
