RE: OCSP request/response signing

[Bob Kupperstein]

Howard,   My understanding is that there is no implied relationship between the request and response signing certificates and any certificates being verified.  The request and response certificates just need to be verifiable on their own by the recipient.  That assures that the request or response is coming from the expected party (or at least one who holds the private key for the signing certificate).   The request is signed by any certificate (-signer, -signkey) issued by any CA known by the responder.  There are two options to verify that the response comes from the expected source.  One is similar to the request: the response is signed by any certificate issued by a CA specified (-CAfile option) among the OCSP client options.  The second is to expect the response to be signed by a specific certificate (-VAfile option) specified among the OCSP client options.   This is the way I understand it to work with the OpenSSL client and responder.   -Bob   -----Original Message----- From: Howard Chan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 29, 2002 10:41 PM To: [EMAIL PROTECTED] Subject: Re: OCSP request/response signing   Dear all (Bob),   Thank you.  I see evidence of response verification and OCSP client/server works fine, I know.  However, I'm still unclear with the relationships between the : 1) CA root cert which signed the certs I'm checking the status on, 2) OCSP request signing cert from client, 3) OCSP request verification cert from server, 4) OCSP response signing cert from server, and finally 5) OCSP response verification cert from client.   I'm using version 0.9.7 beta 3 right now.   Please also view my comments below.....   Thank you.   - Howard   ----- Original Message ----- From: Bob Kupperstein To: [EMAIL PROTECTED] Sent: Tuesday, October 29, 2002 11:09 PM Subject: RE: OCSP request/response signing   Here’s my understanding, and it seems to work using the OpenSSL OCSP client and responder, provided the appropriate certificates are installed in the right places (I’m using a 0.9.7 stable release from 9/02.   -Bob   -----Original Message----- From: Howard Chan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 29, 2002 6:11 AM To: [EMAIL PROTECTED] Subject: OCSP request/response signing   Hello all,   I'm working with Openssl 0.9.7beta3's OCSP command, both client and server.   I'm a bit puzzled with how to establish the following :   1.  Signed requests from client   The OCSP request should be signed by a CA that is known by the responder.   HCHAN>>So I should sign the requests with the CA cert????  (ie. cacert.pem)  Weird!   2.  Request verification from server   The responder can verify the request if it has the CA certificate of the CA that signed the OCSP request.   HCHAN>>I see no evidence from the Request/Response output of any Request verification.  How do I know it's doing this?   3.  Signed responses from server   The OCSP response should be signed with a specific certificate that is known by the client, or by any certificate signed by a CA known by the client.   HCHAN>>From defining "-rsigner" of my ocsp server command, I MUST point it to a cert which is signed by the root CA (which signed the cert I'm checking the status for), and this cert must also contain the corresponding private key.  Am I right or wrong here?   4.  Response verification from client   The OCSP client can accept a VA certificate argument (a known certificate from a particular responder that is used as the response certificate) or a CA certificate argument (specifying which CA is signing the OCSP response).   HCHAN>>I'm notsure whether to use "-VAfile" or "-CAfile".  Doing what I noted above for "-rsigner", can't I just parse this same cert (it's public portion only) to "-CAfile" or "-VAfile"?  I know it fails when I use "-CAfile" and succeeds with "-VAfile".  I cannot explain why!!  Do you know?