Re: OCSP and self signed

Tue, 30 Jul 2013 08:56:39 -0700 

On 23-07-2013 23:56, Steven Madwin wrote:

The short answers is no. An OCSP response has to be signed by the issuer (or
a delegate of the issuer) and a self-signed cert is issued by itself. As a
general rule certs can't revoke themselves so there is no need to get a
revocation response for a self-signed cert.
Once again, I would like to advocate that the openssl verification code should allow a self-signed certificate to revoke itself, using the same mechanisms as 
for revoking anything else.

Specifically, for CA root certs:

- A CA root can expire and/or fail other validity conditions just like
 everybody else.
- If a CRL is available issued by the CA, the CA cert itself is (also)
 checked againstit.  If a CRL declares its issuing CA invalid, no later
 CRL can counter this, regardlessof dates or signatures (because such a
 revocation is probably due to root key compromise,and any other CA signed
message may be forged, while the possibility of a forged revocation is itself 
 proof of compromise).
- If an OCSP server is available, it is (also) asked about the root cert
 itself, and once asigned negative response is received, it overrides all
 other uses of that root.
- In full systems (such as browsers), root-revocation messages (in CRL or
 OCSP form)should be stored permanently so no future (forged) response can
 undo them, the APIshould be designed so implementing this easy.

Specifically for self-signed end entity certs:
- Revocation checks should be done as for a CA root cert.
- Where the protocols require/assume the CA cert to be marked with CA:TRUE,
 thisshould be ignored solely for the purpose of checking for self-
 revocation and self-issuance.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to