re: newbie question on OCSP
OK... I think I get it... Now, the openssl site mentions an ocsp command for openssl, which I would assume would enable it to launch an ocsp response server. Firstly, I have openssl-0.9.6c-engine, and yet cannot find ocsp by me? Is it part of the planned 0.9.7? If so, is there a stable-looking release that includes it? Can anyone give me the basic basics on how it is meant to be used, and if it will work with the index.txt file mainained by openssl's mini-ca ca command? Thanks for all the help, you guys are great! Issac PS. Can I humbly ask that people cc back to me also? tnx __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
Issac Goldstand wrote: OK... I think I get it... Now, the openssl site mentions an ocsp command for openssl, which I would assume would enable it to launch an ocsp response server. Firstly, I have openssl-0.9.6c-engine, and yet cannot find ocsp by me? Is it part of the planned 0.9.7? If so, is there a stable-looking release that includes it? Can anyone give me the basic basics on how it is meant to be used, and if it will work with the index.txt file mainained by openssl's mini-ca ca command? Thanks for all the help, you guys are great! Issac It is part of 0.9.7. There is a test reponder supported by the 'openssl' command of 0.9.7 which can indeed read status information from the index.txt file. However its only useful for test purposes in its current form, for example it will only accept one incoming connection. It would be possible to use it for more serious applications by wrapping it in a CGI script from a webserver though. It wont work well under heavy load or for a large number of certificates though. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
There are other differences: CRL's can be big An org might consider its CRL private info (ooh look, Fred must have gotten fired) It's hard to *prove* you consulted a CRL; for OCSP use a hash of your real document as the nonce, and save the response. An OCSP responder can work off faster information than just the CA's CRL. hope this helps. /r$ -- Zolera Systems, http://www.zolera.com Information Integrity, XML Security __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
Rich Salz wrote: An org might consider its CRL private info (ooh look, Fred must have gotten fired) In private email, I was prompted to explain this better. The issue is not when ONE cert is revoked, but when a large number, and you can make guesses about the number range. For example, an Identrus bank might lose a customer, revoking 100 certificates; a corporation might shut down a department, revoking a couple-dozen, etc. Hope this helps (more). /r$ -- Zolera Systems, http://www.zolera.com Information Integrity, XML Security __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie question on OCSP
Can someone please help a poor newbie understand exactly what this is for and how it's used? I've tried looking at the documentation, but I feel like I'm drowning, probably because I'm trying to understand the details, but not quite getting the simple stuff,.. Thanks in advance, Issac __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
Hi, OCSP stands for Online Certificate Status Protocol. This, as the name suggests specifies a protocol to obtain the Status of a Certificate Online. There can be many reasons for a certificate to become invalid even before its actual lifetime for which it was issued. These may be Key Compromise etc etc.. Each CA maintains a list of all the revoked certificates. That list is called as the Certificate Revocation List (CRL). Our aim is to obtain the status of a certificate ie Valid or Invalid. To be more techincal Revoked or Not Revoked. One method of knowing this is using the LDAP protocol. Use this protocol a user can download the CRL and check it with the Serial Number of the Certificate in Question. If the serial number is found, it means the Certificate is revoked else the user can assume that the Certificate is not revoked. This requires a lot of memory in your system as the CRL size keep on increasing. For that reason the OCSP protocol was born. This might be the author's intention in bringing up this protocol. There is a server called an OCSP responder. This server will maintain all the certificates that are revoked for a particular CA. (The CA may itself be an OCSP responder also). User constructs an OCSP request as per the protocol with all the details of the Certificate for which the revocation status has to be found. The responder will respond with the status of that certificate saying whether it is GOOD, REVOKED or UNKOWN. This is my understanding of the OCSP protocol. I hope this helps... Regards Suram - Original Message - From: Issac Goldstand [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 08, 2002 1:17 AM Subject: newbie question on OCSP Can someone please help a poor newbie understand exactly what this is for and how it's used? I've tried looking at the documentation, but I feel like I'm drowning, probably because I'm trying to understand the details, but not quite getting the simple stuff,.. Thanks in advance, Issac __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]