Re: About finding OCSP response signer

[Wu Junwei]

Hi,Steve   Thanks a lot.   Now I know where I am wrong.   >Now the responder's certificate doesn't have to be unique. In the example of >the CA signing the response the responders certificate will be the CAs >certificate. I always think every one (CA or responder , if they are different ) has their unique and fixed certificate. Now, I know that in the in the CA signing case, responder's certificate is just the CA's certificate.     Best regards,   wjw       ----- Original Message ----- From: Dr. Stephen Henson To: [EMAIL PROTECTED] Sent: Monday, June 02, 2003 8:37 PM Subject: Re: About finding OCSP response signer On Mon, Jun 02, 2003, Wu Junwei wrote: > Hi,Steve, > > Thanks for your kindly answer. > >   But, I am still not very clear. > > In my understinding > >  I think responder may be not the signer of the reponse because the CA of > the certificate in question can sign the response itself. > > The public key got from the responder's certificate is  X509_PUBKEY *key in > X509_CINF struct in X509 struct. > I think this public key should be the public key of the responder itself. > > So I still can not understand why the signer's public key must be the public > key of the responder. > Especially , when the CA signs the response itself. > > > What step do you think in my understanding is wrong or not totally correct? > Well let me explain it a different way. The response is always signed by a private key. That corresponding public key (the responders ket) is contained in a certificate (the responders certificate). The ResponderId is used to identify the responder's certificate. Now the responder's certificate doesn't have to be unique. In the example of the CA signing the response the responders certificate will be the CAs certificate. It should be noted though that the model of a CA signing the response may not be used too much in practice because it means the responder needs access to the CAs private key. Whereas the delegated model just needs a public key contained in a certificate signed by that CA. Steve. -- Dr Stephen N. Henson. Core developer of the   OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project                                 http://www.openssl.org User Support Mailing List                    [EMAIL PROTECTED] Automated List Manager                           [EMAIL PROTECTED]