[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [caops-wg] OCSP - proxy certs

To: caops-wg@xxxxxxx
Subject: Re: [caops-wg] OCSP - proxy certs
From: Jesus Luna <jluna@xxxxxxxxxx>
Date: Tue, 14 Jun 2005 20:08:50 +0200
Cc: Mike Helm <helm@xxxxxxxxxxxx>, Manel Medina <medina@xxxxxxxxxx>,Oscar Manso <o.manso@xxxxxxxxxxxx>, jluna@xxxxxxxxxx
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
In-reply-to: <42AF0B17.7090509@certiver.com>
References: <200506101558.j5AFwLOA012283@fionn.es.net> <42AF0B17.7090509@certiver.com>
Sender: owner-caops-wg@xxxxxxx
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Mike Helm wrote:

Jesus Luna writes:

The client is the only one that can identify Proxy Certificates (in fact it is pretty easy to do with the CoG Java implementation) therefore releasing the OCSP server from such "customization".

How does this client do this?

CoG v1.2 has the class org.globus.gsi.bc.BouncyCastleUtil containing the
method getCertificateType() which is used by the ProxyPathValidatorClass (and our own OCSP client) to identify if we are dealing with a Proxy
Certificate, a CA cert or an EEC (interface org.globus.gsi.GSIConstants
contains possible return values for such method).
Do not forget that such libraries are used not only on the client side
(ie grid-proxy.init) but also on the WSRF Container-side.

One of the motivations for doing OCSP is to lighten the cert checking burden on the client (to 1 ocsp status
check call). So I think it would be good if we understood
this issue better....

I agree with you, so let me present the pseudocode of our current
implementation in the ProxyPathValidaor class:

/**
1-First let us build an OCSP Request with the certificates received in the Proxy Certificate Path
2-The Proxy Certificate itself does not need to be added since current OCSP Responder implementation will always return an "Unknown" status.
3-As soon as the OCSP Responder allow Proxy Cert validation then we will modify this.
**/

for each Certificate in CertificatePath and not ProxyCertificate {
addOCSPRequest(Certificate);
}

/**
4-Now it is time to read OCSP Responders URIs.
5-In future versions this may be included in a security descriptor.
**/

initializeOCSPHostList();

/**
6-If required we can add OCSP extensions to retrieve (experimental use)
**/

addOCSPExtensions();

/**
7-And finally execute the OCSP call
**/

doOCSP();

/**
8-Retrieve the OCSP Response.
9-We are parsing this information as a data structure of the form int[host][certNumber], where:
- host=OCSP Responder that was contacted (according to OCSPHostList)
- certNumber=identifies the position in the OCSPRequest list of the
certificate which status is being retrieved
**/

for each host and each certNumber in ocspResponse {
if(ocspResponse!=Good) // One of Good, Revoked or Unknown
then Return with Code=ProxyPathInvalid
}
Return with Code=ProxyPathValid

Thanks, ==mwh

--

____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna@ac.upc.edu

References:
- Re: [caops-wg] OCSP - proxy certs
  - From: Mike Helm

Prev by Date: RE: [caops-wg] OCSP section 4
Next by Date: [caops-wg] OCSP draft : latest status
Previous by thread: Re: [caops-wg] OCSP - proxy certs
Next by thread: Re: [caops-wg] OCSP section 2
Index(es):
- Date
- Thread