I vote no on this proposal due to OCSP interoperability issues. -Kyle H
On Sat, Oct 11, 2008 at 1:58 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > István Zsolt BERTA wrote, On 2008-10-07 07:07: >> As I see we all agree on the fact that a 'trusted responder' can exist >> according to RFC 2560, and it is possible that an OCSP responder >> certificate is under a separate root. (There are various scenarios for >> providing OCSP service, it can be provided by a CA directly or by >> proxy responders, etc. but RFC 2560 does not deal with such issue.) >> >> Thus, I refuse any statement that would claim that our solution is not >> RFC 2560 conformant. > > It is conformant IF and only IF the user (not the CA) chooses to trust > that responder. If the CERTIFICATE issued by the issuer says to go to > that responder for OCSP, but the responder's cert is not either > a) the the issuer's cert, or > b) a cert issued by the same issuer as the cert under test, > then it is not conformant. The RFC is very clear about that. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
