[openssl-users] OCSP response signed by self-signed trusted responder validation

Animesh Patel (anipatel) anipatel at cisco.com
Tue Dec 4 17:54:05 UTC 2018 

Thanks for the quick response Rich!

Just a quick follow on.

Per RFC6960 for OCSP, there are 3 options:

   All definitive response messages SHALL be digitally signed.  The key

   used to sign the response MUST belong to one of the following:



   - the CA who issued the certificate in question



   - a Trusted Responder whose public key is trusted by the requestor



   - a CA Designated Responder (Authorized Responder, defined in

     Section 4.2.2.2<https://tools.ietf.org/html/rfc6960#section-4.2.2.2>) who holds a specially marked certificate issued

     directly by the CA, indicating that the responder may issue OCSP

     responses for that CA

I’m seeing the self-signed and/or even a separate PKI root or hierarchy that is designated to sign responses as the 2nd option above which is essentially an ‘out of band’ trust that is configured on the requestor ahead of time.  Are you saying option 2 from the RFC is not supported within OpenSSL and would require changes?  Or am I misinterpreting option 2 above.

Lastly, I assuming my understanding is correct, I was thinking X509_check_trust() allows for communicating this ‘out of band’ trust to OpenSSL for validation of OCSP responses, is this not what this trust setting is for?

Thanks,
Animesh

From: "Salz, Rich" <rsalz at akamai.com>
Date: Tuesday, December 4, 2018 at 12:39 PM
To: "anipatel at cisco.com" <anipatel at cisco.com>, "openssl-users at openssl.org" <openssl-users at openssl.org>
Subject: Re: [openssl-users] OCSP response signed by self-signed trusted responder validation

The responder isn’t supposed to be self-signed.  It’s supposed to be signed by the CA issuing the certs.  That way you know that the CA “trusts” the responder.

Now, having said that, what you want to do is reasonable – think of it as “out of band” trust.  You will probably have to modify the source to support it, however.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181204/73bb4a9d/attachment.html>

More information about the openssl-users mailing list