[kmf-discuss] PKIX certificate path validation
Huie-Ying Lee
huie-ying.lee at sun.com
Tue Jan 8 15:51:56 PST 2008
Jan Pechanec wrote:
> On Fri, 21 Dec 2007, Huie-Ying Lee wrote:
>
> hi Huie-Ying,
>
>> If the number of OCSP responses does not correspond to the number of
>> certificates, then it is
>> not easy to decide the mapping between the certificates and the
>> responses. A response file
>
> I think that we can't force the situation where we have an OCSP
> single response for each certificate. Every CA on the way can have a
> different policy so some might not use OCSP at all but CRL only.
>
Yes, there is no need to have an OCSP single response for each certificate,
as I commented in my last email right before the holiday break.
>> If there is only one response file for the entire chain, then it is OK,
>> because in this situation,
>> we can safely assume that this response file is for all the
>> certificates in the chain.
>
> I think that if the OCSP response list was "sorted" according to the
> list of certificates then it's not a problem if some OCSP responses are
> missing. It's not O(n^2) but O(n) then.
>
Yes, it will be good if it is sorted.
> I also thing that it would be better to get certificates and
> responses in pairs in SSH protocols, where OCSP part would be optional. I
> approached IETF SSH list with that. Do you think that if you got an array of
> certificate/response pairs (response optional) that it would be better for
> you?
>
Yes, that will be much better because of no ambiguity.
If a certificate in the array (chain) doesn't have the response part, what's the
behavior you expect from kmf_validate_cert() ? I assume that if the policy is
set to check the revocation status, then we should try to check CRL.
Huie-Ying
More information about the kmf-discuss
mailing list