RE: OCSP request/response signing

[Bob Kupperstein]

Here’s my understanding, and it seems to work using the OpenSSL OCSP client and responder, provided the appropriate certificates are installed in the right places (I’m using a 0.9.7 stable release from 9/02.   -Bob   -----Original Message----- From: Howard Chan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 29, 2002 6:11 AM To: [EMAIL PROTECTED] Subject: OCSP request/response signing   Hello all,   I'm working with Openssl 0.9.7beta3's OCSP command, both client and server.   I'm a bit puzzled with how to establish the following :   1.  Signed requests from client   The OCSP request should be signed by a CA that is known by the responder.   2.  Request verification from server   The responder can verify the request if it has the CA certificate of the CA that signed the OCSP request.   3.  Signed responses from server   The OCSP response should be signed with a specific certificate that is known by the client, or by any certificate signed by a CA known by the client.   4.  Response verification from client   The OCSP client can accept a VA certificate argument (a known certificate from a particular responder that is used as the response certificate) or a CA certificate argument (specifying which CA is signing the OCSP response).