[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[caops-wg] OCSP section 7

To: caops-wg@xxxxxxx
Subject: [caops-wg] OCSP section 7
From: Olle Mulmo <mulmo@xxxxxxxxxx>
Date: Tue, 31 May 2005 12:57:50 +0200
Cc: Olle Mulmo <mulmo@xxxxxxxxxx>
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
Sender: owner-caops-wg@xxxxxxx

--In the last paragraph on page 9 we propose to clarify the text "...incoming OCSP request in turn copied by the OCSP client from the subscriber certificate that is currently being validated." changing it with the following "...incoming OCSP request specified by the client according to the AIA extension in the certificate that is currently being validated".

--In the second paragraph on page 10 the text "...may join efforts and set up a shared Trusted responder that serves requests on behalf on all of the CAs", from our point of view if a set of CAs will trust in a Responder then it becomes an Authorized Responder.

What I'm saying is that the CAs may set up a responder that works in Trusted mode -- not that they themselves trust the responder! Here, I was thinking of e.g. the ESNet OCSP service responding to queries for many (all?) of the GridPMA CAs, or a root-level responder answering to all queries in a PKI hierarchy: in both cases, for the responder to be called Authorized, each and every CA in the PMA/PKI would need to issued an OCSP signing certificate! In regards to hierarchies, this is IMO a shortcoming in the RFC, and some OCSP profiles (such as Identrus from the banking world) augments the RFC on this point, to allow for an OCSP responder that is issued an OCSP signing certificate from the root CA to be regarded as Authorized for any certificate in the whole hierarchy. Text should be added in this regard.

* We have been analyzing the new diagram in figure 1 and we find that we would need to clarify the trust relationships among the different components that are presented.

Good point.

-- At then end of definition 7.1: "The CA trusts in the Authorized Responder as a source of status information for the certificates of its own hierarchy . On the other hand, if the Client does not trust such hierarchy then it will not trust in such Authorized Responder".

Equivalent text has been added, although the part about hierarchies in the first sentence is not true: see comment above. The last sentence seems like a rather superfluous comment: if you don't trust the CA, you don't trust the responder that is has designated as authoritative.

-- At the end of denifition 7.2: "The User trusts in the Trusted Responder as a source of status information for the CAs hierarchies which it has configured. However these CAs will not implicetly trust in such Trusted Responder".

Equivalent text has been added, although the part about hierarchies in the first sentence is not true: see comment above.

Prev by Date: [caops-wg] OCSP section 2
Next by Date: [caops-wg] OCSP - use of nonce
Previous by thread: [caops-wg] OCSP section 2
Next by thread: [caops-wg] OCSP - use of nonce
Index(es):
- Date
- Thread