On 28/10/2015 10:24, M K Saravanan wrote:
Hi,
Upon checking the wireshark capture, I found the OCSP response does not send
signer cert, but only the responderID (byKey).
In such scenario, where do I find the OCSP response signer cert?
Clarifying my own question.
https://tools.ietf.org/html/rfc6960#section-4.2.2.3 says:
---------------
The purpose of the ResponderID information is to allow clients to
find the certificate used to sign a signed OCSP response. Therefore,
the information MUST correspond to the certificate that was used to
sign the response.
The responder MAY include certificates in the certs field of
BasicOCSPResponse that help the OCSP client verify the responder's
signature.
-----------------
I understand that it is not mandatory to send the OCSP response signer
certificate in the OCSP response. So in such cases, where to find the OCSP
response signer certificate? That is my question.
Obvious first check is to see if it is the CA certificate
that issued thecertificate you are checking.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
