[caops-wg] OCSP - proxy certs

Jesus Luna jluna at ac.upc.edu
Tue Jun 14 13:08:50 CDT 2005 

Mike Helm wrote:

> Jesus Luna writes:
>  
>
>> The client is the only one that can identify Proxy Certificates (in 
>> fact it is pretty easy to do with the CoG Java implementation) 
>> therefore releasing the OCSP server from such "customization".
>>   
>
>
> How does this client do this?   
>
CoG v1.2 has the class org.globus.gsi.bc.BouncyCastleUtil containing the
method getCertificateType() which is used by the ProxyPathValidatorClass 
(and our own OCSP client) to identify if we are dealing with a Proxy
Certificate, a CA cert or an EEC (interface org.globus.gsi.GSIConstants
contains possible return values for such method).
Do not forget that such libraries are used not only on the client side
(ie grid-proxy.init) but also on the WSRF Container-side.

> One of the motivations for doing OCSP is to lighten the cert checking 
> burden on the client (to 1 ocsp status
> check call).  So I think it would be good if we understood
> this issue better....
>  
>
I agree with you, so let me present the pseudocode of our current
implementation in the ProxyPathValidaor class:

/**
1-First let us build an OCSP Request with the certificates received in 
the Proxy Certificate Path
2-The Proxy Certificate itself does not need to be added since current 
OCSP Responder implementation will always return an "Unknown" status.
3-As soon as the OCSP Responder allow Proxy Cert validation then we will 
modify this.
**/

for each Certificate in CertificatePath and not ProxyCertificate {
   addOCSPRequest(Certificate);
}

/**
4-Now it is time to read OCSP Responders URIs.
5-In future versions this may be included in a security descriptor.
**/

initializeOCSPHostList();

/**
6-If required we can add OCSP extensions to retrieve (experimental use)
**/

addOCSPExtensions();

/**
7-And finally execute the OCSP call
**/

doOCSP();

/**
8-Retrieve the OCSP Response.
9-We are parsing this information as a data structure of the form 
int[host][certNumber], where:
- host=OCSP Responder that was contacted (according to OCSPHostList)
- certNumber=identifies the position in the OCSPRequest list of the
certificate which status is being retrieved
**/

for each host and each certNumber in ocspResponse {
if(ocspResponse!=Good)      // One of Good, Revoked or Unknown
 then Return with Code=ProxyPathInvalid
}
Return with Code=ProxyPathValid

> Thanks, ==mwh
>  
>



-- 

____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna at ac.upc.edu

More information about the caops-wg mailing list