<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Dan,<br>
<br>
On 10.12.2015 16:27, daniel bryan wrote:
<blockquote
cite="mid:CAJKvcBTVgw45DnYYSV1MdYHapUAmQ=6_pcw5O6LgKBxSn6Skxg@mail.gmail.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=UTF-8">
<div>
<div><b>TEST #2: </b>Next test was using OCSP:<br>
<br>
[dan@canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem
-VAfile VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer
-cert CERTS/0x500c8bd-revoked.pem -url <a
moz-do-not-send="true" href="http://ocspresponder:8080">http://ocspresponder:8080</a><br>
<br>
<i>Response verify OK<br>
CERTS/0x500c8bd-revoked.pem: <b>unknown</b><br>
This Update: Dec 9 20:48:26 2015 GMT</i><br>
<br>
as you can see the client <b>was NOT </b>informed the
certificate was revoked.<br>
</div>
</div>
</blockquote>
and also that it is not good -> unknown, revoked and good are the
3 values ...<br>
<blockquote
cite="mid:CAJKvcBTVgw45DnYYSV1MdYHapUAmQ=6_pcw5O6LgKBxSn6Skxg@mail.gmail.com"
type="cite">
<div>
<div>
<br>
We are using a 3rd party vendors OCSP service, and I am of the
opinion that an OCSP service should provide a revoked response
regardless of the time validity of the CRL. <br>
</div>
</div>
</blockquote>
does the OCSP responder cert be the signing cert itself or was it
signed by the same signing cert that signed the cert you want to
validate?<br>
<br>
or specific to your sample: did CAS/IC\ ABC\ CA3\ DEV.cer sign both
CERTS/0x500c8bd-revoked.pem and the OCSP responder cert
(VAS/def_ocsp.pem)?
<blockquote
cite="mid:CAJKvcBTVgw45DnYYSV1MdYHapUAmQ=6_pcw5O6LgKBxSn6Skxg@mail.gmail.com"
type="cite">
<div>
<div><br>
</div>
</div>
</blockquote>
Walter<br>
</body>
</html>