<div dir="ltr"><div>Hi Walter, <br><br>I agree with your addition regarding the fact that it is not saying the cert is good, it's saying unknown. However, my understanding of the RFC is that unknown should be returned when the OCSP service does not know about the certificate issuer. I'm not sure that's the case.  <br><br>Regarding the response verification, we are used the CA Designated Responder (Authorized Responder). meaning that the issuer of serial 0x500c8bd was the same issuer of the OCSP Signing response (ABC CA3 DEV). However, my testing shows that this only affects the "response verification (OK/FAILED)" not the certificate status returned (good/revoked/unknown).<br><br></div>--Dan<br><div><br><div class="gmail_quote"><div dir="ltr">On Thu, Dec 10, 2015 at 11:36 AM Walter H. [via OpenSSL] <<a href="/user/SendEmail.jtp?type=node&node=61622&i=0" target="_top" rel="nofollow" link="external">[hidden email]</a>> wrote:<br></div><blockquote style='border-left:2px solid #CCCCCC;padding:0 1em' class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

        
  
    
  
  
    Hi Dan,<br>
    <br>
    On 10.12.2015 16:27, daniel bryan wrote:
    <blockquote style='border-left:2px solid #CCCCCC;padding:0 1em' style="border-left:2px solid #cccccc;padding:0 1em" type="cite">
      
      <div>
        <div><b>TEST #2: </b>Next test was using OCSP:<br>
          <br>
          [dan@canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem
          -VAfile VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer
          -cert CERTS/0x500c8bd-revoked.pem -url <a href="http://ocspresponder:8080" rel="nofollow" link="external" target="_blank">http://ocspresponder:8080</a><br>
          <br>
          <i>Response verify OK<br>
            CERTS/0x500c8bd-revoked.pem: <b>unknown</b><br>
            This Update: Dec 9 20:48:26 2015 GMT</i><br>
          <br>
          as you can see the client <b>was NOT </b>informed the
          certificate was revoked.<br>
        </div>
      </div>
    </blockquote>
    and also that it is not good -> unknown, revoked and good are the
    3 values ...<br>
    <blockquote style='border-left:2px solid #CCCCCC;padding:0 1em' style="border-left:2px solid #cccccc;padding:0 1em" type="cite">
      <div>
        <div>
          <br>
          We are using a 3rd party vendors OCSP service, and I am of the
          opinion that an OCSP service should provide a revoked response
          regardless of the time validity of the CRL. <br>
        </div>
      </div>
    </blockquote>
    does the OCSP responder cert be the signing cert itself or was it
    signed by the same signing cert that signed the cert you want to
    validate?<br>
    <br>
    or specific to your sample: did CAS/IC\ ABC\ CA3\ DEV.cer sign both
    CERTS/0x500c8bd-revoked.pem and the OCSP responder cert
    (VAS/def_ocsp.pem)?
    <blockquote style='border-left:2px solid #CCCCCC;padding:0 1em' style="border-left:2px solid #cccccc;padding:0 1em" type="cite">
      <div>
        <div><br>
        </div>
      </div>
    </blockquote>
    Walter<br>
  

<br>_______________________________________________
<br>openssl-users mailing list
<br>To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="nofollow" link="external" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br><div><br><img src="http://openssl.6102.n7.nabble.com/images/icon_attachment.gif"> <b>smime.p7s</b> (5K) <a href="http://openssl.6102.n7.nabble.com/attachment/61605/0/smime.p7s" rel="nofollow" link="external" target="_blank">Download Attachment</a></div>

        
        
        
        <br>
        <br>
        <hr size="1" noshade color="#cccccc">
        <div style="color:#444;font:12px tahoma,geneva,helvetica,arial,sans-serif">
                <div style="font-weight:bold">If you reply to this email, your message will be added to the discussion below:</div>
                <a href="http://openssl.6102.n7.nabble.com/OCSP-service-dependant-on-time-valid-CRLs-tp61600p61605.html" target="_blank" rel="nofollow" link="external">http://openssl.6102.n7.nabble.com/OCSP-service-dependant-on-time-valid-CRLs-tp61600p61605.html</a>
        </div>
        <div style="color:#666;font:11px tahoma,geneva,helvetica,arial,sans-serif;margin-top:.4em;line-height:1.5em">
                To start a new topic under OpenSSL - User, email <a href="/user/SendEmail.jtp?type=node&node=61622&i=1" target="_top" rel="nofollow" link="external">[hidden email]</a> <br>
                To unsubscribe from OpenSSL - User, <a href="" target="_blank" rel="nofollow" link="external">click here</a>.<br>
                <a href="http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="nofollow" style="font:9px serif" target="_blank" link="external">NAML</a>
        </div></blockquote></div></div></div>


        
        
        
<br/><hr align="left" width="300" />
View this message in context: <a href="http://openssl.6102.n7.nabble.com/OCSP-service-dependant-on-time-valid-CRLs-tp61600p61622.html">Re: OCSP service dependant on time valid CRLs</a><br/>
Sent from the <a href="http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html">OpenSSL - User mailing list archive</a> at Nabble.com.<br/>