[openssl-users] OCSP service dependant on time valid CRLs

socket danbryan80 at gmail.com
Thu Dec 10 17:29:54 UTC 2015


Hi Walter,

I agree with your addition regarding the fact that it is not saying the
cert is good, it's saying unknown. However, my understanding of the RFC is
that unknown should be returned when the OCSP service does not know about
the certificate issuer. I'm not sure that's the case.

Regarding the response verification, we are used the CA Designated
Responder (Authorized Responder). meaning that the issuer of serial
0x500c8bd was the same issuer of the OCSP Signing response (ABC CA3 DEV).
However, my testing shows that this only affects the "response verification
(OK/FAILED)" not the certificate status returned (good/revoked/unknown).

--Dan

On Thu, Dec 10, 2015 at 11:36 AM Walter H. [via OpenSSL] <
ml-node+s6102n61605h91 at n7.nabble.com> wrote:

> Hi Dan,
>
> On 10.12.2015 16:27, daniel bryan wrote:
>
> *TEST #2: *Next test was using OCSP:
>
> [dan at canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile
> VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert
> CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080
>
>
>
> *Response verify OK CERTS/0x500c8bd-revoked.pem: unknown This Update: Dec
> 9 20:48:26 2015 GMT*
>
> as you can see the client *was NOT *informed the certificate was revoked.
>
> and also that it is not good -> unknown, revoked and good are the 3 values
> ...
>
>
> We are using a 3rd party vendors OCSP service, and I am of the opinion
> that an OCSP service should provide a revoked response regardless of the
> time validity of the CRL.
>
> does the OCSP responder cert be the signing cert itself or was it signed
> by the same signing cert that signed the cert you want to validate?
>
> or specific to your sample: did CAS/IC\ ABC\ CA3\ DEV.cer sign both
> CERTS/0x500c8bd-revoked.pem and the OCSP responder cert (VAS/def_ocsp.pem)?
>
>
> Walter
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> *smime.p7s* (5K) Download Attachment
> <http://openssl.6102.n7.nabble.com/attachment/61605/0/smime.p7s>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://openssl.6102.n7.nabble.com/OCSP-service-dependant-on-time-valid-CRLs-tp61600p61605.html
> To start a new topic under OpenSSL - User, email
> ml-node+s6102n3h29 at n7.nabble.com
> To unsubscribe from OpenSSL - User, click here
> <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=3&code=ZGFuYnJ5YW44MEBnbWFpbC5jb218M3wxNTY2MDE3NjQ2>
> .
> NAML
> <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>




--
View this message in context: http://openssl.6102.n7.nabble.com/OCSP-service-dependant-on-time-valid-CRLs-tp61600p61622.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/2a617b4d/attachment.html>


More information about the openssl-users mailing list