Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OCSP Stapling w/ Delegated Signers
25 views
Skip to first unread message
Tom Ritter
Apr 27, 2013, 1:37:42 PM4/27/13
to dev-se...@lists.mozilla.org
I have what may be a well tread topic in the nuances of OCSP Stapling
- but after having it posed to me I realized I did not know the
answer. Thus, I ask publicly in the hope that there is a simple
answer I can point to in the future.
If a CA uses a delegated signer for OCSP, and a website delivers an
OCSP Staple... How does the user (talking only to the website) get
- The Delegated Signing Cert (which is presumably an Intermediate off
a Trust Root)
- The revocation information for *that* Intermediate cert
thanks,
tom
- but after having it posed to me I realized I did not know the
answer. Thus, I ask publicly in the hope that there is a simple
answer I can point to in the future.
If a CA uses a delegated signer for OCSP, and a website delivers an
OCSP Staple... How does the user (talking only to the website) get
- The Delegated Signing Cert (which is presumably an Intermediate off
a Trust Root)
- The revocation information for *that* Intermediate cert
thanks,
tom
Kai Engert
Apr 27, 2013, 3:18:20 PM4/27/13
to Tom Ritter, dev-se...@lists.mozilla.org
An OCSPResponse may contain an optional sequence of additional
certificates. This is the place to transport the delegated signing cert.
In my understanding, if you request status for a certificate C1, which
was signed by a CA1, and the CA1 choses to use a delegated signing cert
C2, then both C1 and C2 must have been signed by the same CA1.
Although an OCSP response can contain only information related to one
CA, the signed data inside the OCSPResponse contains a sequence of one
or more entries of type SingleResponse. It guess this sequence could
contain status entries for both C1 and C2.
I wonder if an OCSP responder using a delegated signing cert should
always include status information for the delegated signing cert, too.
Kai
Rob Stradling
Apr 29, 2013, 3:46:20 AM4/29/13
to Tom Ritter, dev-se...@lists.mozilla.org
On 27/04/13 18:37, Tom Ritter wrote:
> I have what may be a well tread topic in the nuances of OCSP Stapling
> - but after having it posed to me I realized I did not know the
> answer. Thus, I ask publicly in the hope that there is a simple
> answer I can point to in the future.
>
> If a CA uses a delegated signer for OCSP, and a website delivers an
> OCSP Staple... How does the user (talking only to the website) get
>
> - The Delegated Signing Cert (which is presumably an Intermediate off
> a Trust Root)
> - The revocation information for *that* Intermediate cert
Tom, RFC2560 deals with this issue (see section 4.2.2.2.1).
> I have what may be a well tread topic in the nuances of OCSP Stapling
> - but after having it posed to me I realized I did not know the
> answer. Thus, I ask publicly in the hope that there is a simple
> answer I can point to in the future.
>
> If a CA uses a delegated signer for OCSP, and a website delivers an
> OCSP Staple... How does the user (talking only to the website) get
>
> - The Delegated Signing Cert (which is presumably an Intermediate off
> a Trust Root)
> - The revocation information for *that* Intermediate cert
Public CAs that use delegated OCSP signing should follow the CABForum
Baseline Requirements (section 13.2.5):
"the OCSP signing Certificate MUST contain an extension of type
id-pkix-ocsp-nocheck, as defined by RFC2560."
Delegated OCSP signing certificates are end-entity certs, not
Intermediate certs.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
0 new messages