Jean-Marc Desperrier wrote, On 2009-03-10 04:55:
> Peter Lind Damkjær wrote:
>> Varga Viktor wrote:
>>> <snip>
>>> OCSP request with multiple certificate from different CA
>>> --------------
>>>
>>> The RFC has the possibility to send multiple certificate serial number into
>>> OCSP request. It is not defined that allowed or not, to put two certificate
>>> serial number, from different CA.
>>>
>>> Request ::= SEQUENCE {
>>> reqCert CertID,
>
> Each CertID in the request contains both the serialNumber *and* the
> issuerNameHash. So it's perfectly defined that you can use it to
> identify two certificate from different CA.
>
>>> In the response, there is only one signature field.
>
> So the signature needs to be from an OCSP responder that's valid for
> *both* CA.
>
> This means, as per "4.2.2.2 Authorized Responders", that this
> configuration can only work if the responder matches a local
> configuration of OCSP signing authority, and therefore can not simply be
> the CA or a certificates that has been delegated the OCSP responder role
> with id-ad-ocspSigning.
That's exactly right. But this whole discussion may be moot, because
Firefox does not presently ever send an OCSP request with multiple
serial numbers. Each cert is separately queried.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
