As I see, the correct way to handel this the malformed reply. Thanks.
Comments on my other questions? üdvözlettel/best regards: Varga Viktor rendszerüzemeltetési és vevőszolgálati vezető Netlock Kft. -----Original Message----- From: dev-tech-crypto-bounces+varga_v=netlock...@lists.mozilla.org [mailto:dev-tech-crypto-bounces+varga_v=netlock...@lists.mozilla.org] On Behalf Of Jean-Marc Desperrier Sent: Tuesday, March 10, 2009 12:55 PM To: dev-tech-crypto@lists.mozilla.org Subject: Re: SV: Questions about Potentially Problematic Practices Peter Lind Damkjær wrote: > Varga Viktor wrote: >> <snip> > > OCSP request with multiple certificate from different CA >> -------------- >> >> The RFC has the possibility to send multiple certificate serial number into >> OCSP request. It is not defined that allowed or not, to put two certificate > > serial number, from different CA. >> >> Request ::= SEQUENCE { > > reqCert CertID, Each CertID in the request contains both the serialNumber *and* the issuerNameHash. So it's perfectly defined that you can use it to identify two certificate from different CA. >> In the response, there is only one signature field. So the signature needs to be from an OCSP responder that's valid for *both* CA. This means, as per "4.2.2.2 Authorized Responders", that this configuration can only work if the responder matches a local configuration of OCSP signing authority, and therefore can not simply be the CA or a certificates that has been delegated the OCSP responder role with id-ad-ocspSigning. > Several serial numbers in a request do not comply to OCSP responders > that follow RFC5019 so I'll suggest to use a strategy to split it into > several requests. Yes, only responders that implement the full RFC2560 can accept this, not those who implement the RFC5019 high-volume environments profile. What's more, the requirement for local configuration mean it can only be used with a local responder, that's responsible for responding for *all* CA. So it's much better to not try to handle this special case that can only work in a very restricted environment, and split the request. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________________________________ Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________ _______________________________________________________________________ Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________ -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
