Peter Lind Damkjær wrote:
Varga Viktor wrote:
<snip>
> OCSP request with multiple certificate from different CA
--------------
The RFC has the possibility to send multiple certificate serial number into
OCSP request. It is not defined that allowed or not, to put two certificate
> serial number, from different CA.
Request ::= SEQUENCE {
> reqCert CertID,
Each CertID in the request contains both the serialNumber *and* the
issuerNameHash. So it's perfectly defined that you can use it to
identify two certificate from different CA.
In the response, there is only one signature field.
So the signature needs to be from an OCSP responder that's valid for
*both* CA.
This means, as per "4.2.2.2 Authorized Responders", that this
configuration can only work if the responder matches a local
configuration of OCSP signing authority, and therefore can not simply be
the CA or a certificates that has been delegated the OCSP responder role
with id-ad-ocspSigning.
Several serial numbers in a request do not comply to OCSP responders
that follow RFC5019 so I'll suggest to use a strategy to split it into
several requests.
Yes, only responders that implement the full RFC2560 can accept this,
not those who implement the RFC5019 high-volume environments profile.
What's more, the requirement for local configuration mean it can only be
used with a local responder, that's responsible for responding for *all*
CA.
So it's much better to not try to handle this special case that can only
work in a very restricted environment, and split the request.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
