[caops-wg] OCSP - proxy certs

Jesus Luna jluna at ac.upc.edu
Fri Jun 10 06:27:02 CDT 2005 

Mike Helm wrote:

>What is the status of this client library?  Is it freely available to
>developers?
>  
>
We are in touch with Frank Siebenlist (Lead Security Architech from 
Globus) to integrate our OCSP client library (the Java version is only 
available at this time) into GT4.

>Am I interpreting this correctly:  "The client library will parse
>a chain of proxy certs in the correct RFC 2560 form (requestList &c)
>and create a RFC 2560 conforming OCSP query"?
>
>  
>
Yes, that is correct.

>We need to think about this, in terms of supporting proxy
>certs.  Should we expect clients to distinguish proxy certs
>from EE or issuer certs?  (I would answer "No", but they could.)
>  
>
The client is the only one that can identify Proxy Certificates (in fact 
it is pretty easy to do with the CoG Java implementation) therefore 
releasing the OCSP server from such "customization".

>We might have a lot of "unknown" status returns - the client
>will react to this how?  (Possibly not well, given the 
>recommended default.)
>  
>
Exactly, that's why we recommended in our original email two possibles 
approaches to this problem:
-From the client side:
1-If no "Revoked" status was received from the OCSP for the whole 
requestList then the Proxy Certificate is valid.
This behaviour considers any RFC2560 compliant OCSP Server.

-From the OCSP Server side:
1-A standard OCSP Server that does not support Proxy Certificates 
Revocation should always reply an "Unknown" status for such certificates.
2-An OCSP Server that does support Proxy Certificates Revocation (like 
CertiVeR where its database stores Proxy Certificates that have been 
revoked) will reply "Unknown" only if the Proxy Certificate has not been 
revoked.

>Can we train trusted responders to return  "Good" unless
>the proxy is revoked?  Would this be a good thing to do?
>Why?  (It sounds reasonable, but what about previous discussion of
>exhausted revocation information.)  We need either to clear this up
>or clear up my misunderstanding :^)
>  
>
It is not advisable because given an X509 Certificate, the OCSP Server 
does not have a secure mechanism to identify a Proxy Certificate.

Best regards,

-- 

____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna at ac.upc.edu

More information about the caops-wg mailing list