On 10/06/2008 03:54 PM, István Zsolt BERTA: > We support the second option (Trusted Responder), where the requester > explicitly trusts the OCSP responder. (In our case the link of trust > is established by our CPS stating the the separate root can be trusted > for signing relevant OCSP responses.) I do not know of any statement > in RFC 2560 that requires the responder to be under the same root. > > Based on the above, we consider our solution RFC 2560 conformant. > > (We know of other similar solutions, e.g. openvalidation.org works > exactly this way.)
openvalidation.org is to all of my knowledge kind of a proxy responder which provides OCSP service for many different CAs (and acts like a proxy). If I'd set the settings of Firefox to only trust your responder it would maybe validate the certificates issued by your CA, but fail all other CA issued certificates. A trusted responder is to all of my knowledge not meant to be used by CAs directly except in case of internal, corporate-wide CAs and OCSP service. Or in the case of a proxy responder as mentioned above. The correct way doing this for public CAs is via the AIA extensions IMO. In your case it would invalid either your own or those of other CAs issued certificates. > > We had good reasons to choose this solution. According to Hungarian > regulations, a qualified CA is allowed to use its private key for the > following two purposes only: > * signing qualified end-user certificates and > * signing CRLs. > As neither 'signing OCSP responses', nor 'singing OCSP responder > certificates' is listed here, we were not allowed to support options 1 > and 3 marked in RFC 2560, so only option 2 remained. You are not allowed to issue intermediate CA certificates then? Are you issuing directly from the CA root? > Webserver and code signing certificates are generally non-qualified What are the checks performed on code-signing certificates? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
