[caops-wg] Which OCSP responder to trust?

Mike Helm helm at fionn.es.net
Sun Jan 22 17:41:52 CST 2006 

Since Proxy certs are the thorniest problem (& the principal one
remaining that we know of), I will start with this.

Jesus Luna writes:
> In slide 4 of the presentation "OCSP-GGF15.ppt"  three different OCSP 
> discovery mechanisms are mentioned to validate user and Proxy 
> Certificates; in this case we agree with them (in fact the first two are 
> referenced in some way in secton "4.4 Responder discovery"), however it 
> could be convenient to mention also the possibility of using the 
> multicited OCSP Policy to accomplish such configuration at the relying 

What is the "multicited OCSP policy"?
> The third option "OCSP-signing proxy delegated to responder", could you 
> elaborate more on this? We are not getting the idea behind such concept.

Here are the comments from the minutes:

	When proxy uses AIA extension (=URL added), have to provide
	intelligence to OCSP objects that identifies the appropriate response
	and ensures authority of signer is appropriate.  Requires special
	software at OCSP level, or use some portion of AIA URL and make sure
	that OCSP signing certificate had corresponding name (yuck).  Best way
	is for user to delegate a proxy cert to OCSP responder in such a way
	that the cert has OCSP signature info.  Can have multiple URL's in one
	cert or proxy.  Essentiallly this is a bucket of URL's and info on
	what will be found at these URLs (note not CRL's!).  Clients can try
	these sequentially; some undefined logic is implied here.

I think that is referring to the same item.
What I am getting out of this, is an idea something like - 
create a service that manages a large number of delegate 
proxy OCSP responder certifiates, per user or per per proxy 
cert not clear.  In fact it is not clear that that this is the
only possible content, perhaps a referral to real OCSP service
would be found at the end of it &c.

I wasn't there & it's not my idea, so I am not sure about it.
In an earlier meeting Olle discussed something similar but less
developed (see minutes info posted earlier).

Thanks, ==mwh

More information about the caops-wg mailing list