[caops-wg] OCSP section 7
Jesus Luna
jluna at ac.upc.edu
Fri Jun 3 09:52:21 CDT 2005
Hi,
Just like in our former email we had a cunfusion with the trust
relations between entities shown in figure 1, but after a closer look we
now agree with Olle.
Best regards,
>> --In the last paragraph on page 9 we propose to clarify the text
>> "...incoming OCSP request in turn copied by the OCSP client from the
>> subscriber certificate that is currently being validated." changing
>> it with the following "...incoming OCSP request specified by the
>> client according to the AIA extension in the certificate that is
>> currently being validated".
>
>
>
>> --In the second paragraph on page 10 the text "...may join efforts
>> and set up a shared Trusted responder that serves requests on behalf
>> on all of the CAs", from our point of view if a set of CAs will trust
>> in a Responder then it becomes an Authorized Responder.
>
>
> What I'm saying is that the CAs may set up a responder that works in
> Trusted mode -- not that they themselves trust the responder! Here, I
> was thinking of e.g. the ESNet OCSP service responding to queries for
> many (all?) of the GridPMA CAs, or a root-level responder answering to
> all queries in a PKI hierarchy: in both cases, for the responder to be
> called Authorized, each and every CA in the PMA/PKI would need to
> issued an OCSP signing certificate! In regards to hierarchies, this is
> IMO a shortcoming in the RFC, and some OCSP profiles (such as Identrus
> from the banking world) augments the RFC on this point, to allow for
> an OCSP responder that is issued an OCSP signing certificate from the
> root CA to be regarded as Authorized for any certificate in the whole
> hierarchy. Text should be added in this regard.
>
>> * We have been analyzing the new diagram in figure 1 and we find that
>> we would need to clarify the trust relationships among the different
>> components that are presented.
>
>
> Good point.
>
>> -- At then end of definition 7.1: "The CA trusts in the Authorized
>> Responder as a source of status information for the certificates of
>> its own hierarchy . On the other hand, if the Client does not trust
>> such hierarchy then it will not trust in such Authorized Responder".
>
>
> Equivalent text has been added, although the part about hierarchies in
> the first sentence is not true: see comment above. The last sentence
> seems like a rather superfluous comment: if you don't trust the CA,
> you don't trust the responder that is has designated as authoritative.
>
>> -- At the end of denifition 7.2: "The User trusts in the Trusted
>> Responder as a source of status information for the CAs hierarchies
>> which it has configured. However these CAs will not implicetly trust
>> in such Trusted Responder".
>
>
> Equivalent text has been added, although the part about hierarchies in
> the first sentence is not true: see comment above.
--
____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna at ac.upc.edu
More information about the caops-wg
mailing list