My contacts at Netscape mentioned that a few CA'a like Versign have issued new root CA certs that support the new OCSP (Online Cert Status Protocol), specified in RFC 2560. He also mentioned that OCSP support will not only be included in future Netscape browser/messenger releases, but will be also turned on (enabled) by default. Because of this, we think it is wise for us to also add OCSP support to our root CA certs. The folks at Netscape mentioned that I only have a few days to resubmit replacement root certs with OSCP support, in order to make the cutoff for the Mozilla 6.0 release. If we add OCSP support to our root certs by the cutoff, it would avoid having to reissue our root certs in a year or so. Unfortunately they did not give me any idea how to do this. I do not know what we need to add to our root CA certs in order to allow it to support OCSP for issued certs. Since OCSP is recent, I would assume it would be some type of X509v3 extension is needed to our root CA certs. But I have no details of what extension is needed and what object identifiers it uses. Unfortunately, I do not have any of the new root CA certs from Verisign (or others) that support OCSP, so I cannot examine those certs for comparison, and look for X509v3 extensions. Do you know where we can download these new certs, I can't find them on Verisign's website? (BTW, none of the older Verisign root CA certs except the newest one in Mozilla 6.0 pr2 has OCSP support. And none of the Thawte root CA certs have it either.) I would be most greatful if anyone have any info that might help. We do not need to impliment OCSP yet, but we would like to make sure that our root certs support it now, so that we don't have to reissue replacement root CA certs in the near future, especially since our root CA certs will be bundled into webbrowsers. BTW, it is cool that Richard Levitte managed to put together an OCSP patch for openssl. Hopefully we can get permission from CertCo to use they code in openssl, or we can replace the CertCo code, so that we can bundle it into the next openssl release. Thank you in advance. Yours truly, Alicia. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
