Hi, Ryan Hurst wrote: > They are doing a CA signed OCSP response, this is legitimate. > > We will do this in the not so distant future as well for many of our > responses also.
If this is called "CA signed OCSP response", how is *your* current response, which you will change in future, called? > You basically need to look at the responderID and see if it's the same > entity that signed the certificate you are checking if so use that key > material to do the validation. Mh... The responderID is "3FD5B5D0D64479504A17A39B8C4ADCB8B022646B". I don't know how to check it. Can somebody help? I sha1sum'ed the fingerprint, issuer and subject of level1 (COMODO High-Assurance Secure Server CA) and level2 (AddTrust External CA Root) but I did not find such a hash/value. For me it looks like they are using some kind of delegated OCSP signer, but because they did not include the signer's certificate in the response like other OCSP are currntly doing, I am unable to verify (like openssl's binary), because I don't have the signer certificate. But how should I get it? But maybe I am totally wrong... I am new to this, sorry. Thanks. -- Regards, Igor ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
