Varga Viktor wrote:
<snip>
OCSP request with multiple certificate from different CA
--------------
The RFC has the possibility to send multiple certificate serial number into
OCSP request. It is not defined that allowed or not, to put two certificate
serial number, from different CA.
Request ::= SEQUENCE {
reqCert CertID,
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
In the response, there is only one signature field.
For example:
1. You have three certificate, for easy to imagine, a root, a subordinate CA
and end user.
2. You create an OCSP request of them, included the serial numbers into one
request.
3. You get a response, but has only one signature on it.
What is the acceptable for this?
1. Report error for the multiple request.
2. Sign with one of the OCSP responders?
a. You could have OCSP responder for the Root, Which can tell, Subordinate is
OK
b. You could have OCSP responder for the subordinate, Which can tell, enduser
certificate is OK.
</snip>
Several serial numbers in a request do not comply to OCSP responders that
follow RFC5019 so I'll suggest to use a strategy to split it into several
requests.
Best regards
Peter Lind Damkjaer
DanID
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
