Mike Helm wrote:
Jesus Luna writes:
The client is the only one that can identify Proxy Certificates (in fact it is pretty easy to do with the CoG Java implementation) therefore releasing the OCSP server from such "customization".
How does this client do this?
CoG v1.2 has the class org.globus.gsi.bc.BouncyCastleUtil containing the method getCertificateType() which is used by the ProxyPathValidatorClass (and our own OCSP client) to identify if we are dealing with a Proxy Certificate, a CA cert or an EEC (interface org.globus.gsi.GSIConstants contains possible return values for such method). Do not forget that such libraries are used not only on the client side (ie grid-proxy.init) but also on the WSRF Container-side.
One of the motivations for doing OCSP is to lighten the cert checking burden on the client (to 1 ocsp status check call). So I think it would be good if we understood this issue better....
I agree with you, so let me present the pseudocode of our current implementation in the ProxyPathValidaor class: /** 1-First let us build an OCSP Request with the certificates received in the Proxy Certificate Path 2-The Proxy Certificate itself does not need to be added since current OCSP Responder implementation will always return an "Unknown" status. 3-As soon as the OCSP Responder allow Proxy Cert validation then we will modify this. **/ for each Certificate in CertificatePath and not ProxyCertificate { addOCSPRequest(Certificate); } /** 4-Now it is time to read OCSP Responders URIs. 5-In future versions this may be included in a security descriptor. **/ initializeOCSPHostList(); /** 6-If required we can add OCSP extensions to retrieve (experimental use) **/ addOCSPExtensions(); /** 7-And finally execute the OCSP call **/ doOCSP(); /** 8-Retrieve the OCSP Response. 9-We are parsing this information as a data structure of the form int[host][certNumber], where: - host=OCSP Responder that was contacted (according to OCSPHostList) - certNumber=identifies the position in the OCSPRequest list of the certificate which status is being retrieved **/ for each host and each certNumber in ocspResponse { if(ocspResponse!=Good) // One of Good, Revoked or Unknown then Return with Code=ProxyPathInvalid } Return with Code=ProxyPathValid
Thanks, ==mwh
-- ____________________ Jesus Luna Garcia PhD Student. Polytechnic University of Catalonia Barcelona, Spain jluna@ac.upc.edu