[caops-wg] OCSP - proxy certs
Jesus Luna
jluna at ac.upc.edu
Tue Jun 14 13:08:50 CDT 2005
Mike Helm wrote:
> Jesus Luna writes:
>
>
>> The client is the only one that can identify Proxy Certificates (in
>> fact it is pretty easy to do with the CoG Java implementation)
>> therefore releasing the OCSP server from such "customization".
>>
>
>
> How does this client do this?
>
CoG v1.2 has the class org.globus.gsi.bc.BouncyCastleUtil containing the
method getCertificateType() which is used by the ProxyPathValidatorClass
(and our own OCSP client) to identify if we are dealing with a Proxy
Certificate, a CA cert or an EEC (interface org.globus.gsi.GSIConstants
contains possible return values for such method).
Do not forget that such libraries are used not only on the client side
(ie grid-proxy.init) but also on the WSRF Container-side.
> One of the motivations for doing OCSP is to lighten the cert checking
> burden on the client (to 1 ocsp status
> check call). So I think it would be good if we understood
> this issue better....
>
>
I agree with you, so let me present the pseudocode of our current
implementation in the ProxyPathValidaor class:
/**
1-First let us build an OCSP Request with the certificates received in
the Proxy Certificate Path
2-The Proxy Certificate itself does not need to be added since current
OCSP Responder implementation will always return an "Unknown" status.
3-As soon as the OCSP Responder allow Proxy Cert validation then we will
modify this.
**/
for each Certificate in CertificatePath and not ProxyCertificate {
addOCSPRequest(Certificate);
}
/**
4-Now it is time to read OCSP Responders URIs.
5-In future versions this may be included in a security descriptor.
**/
initializeOCSPHostList();
/**
6-If required we can add OCSP extensions to retrieve (experimental use)
**/
addOCSPExtensions();
/**
7-And finally execute the OCSP call
**/
doOCSP();
/**
8-Retrieve the OCSP Response.
9-We are parsing this information as a data structure of the form
int[host][certNumber], where:
- host=OCSP Responder that was contacted (according to OCSPHostList)
- certNumber=identifies the position in the OCSPRequest list of the
certificate which status is being retrieved
**/
for each host and each certNumber in ocspResponse {
if(ocspResponse!=Good) // One of Good, Revoked or Unknown
then Return with Code=ProxyPathInvalid
}
Return with Code=ProxyPathValid
> Thanks, ==mwh
>
>
--
____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna at ac.upc.edu
More information about the caops-wg
mailing list