Mike Helm wrote:
What is the status of this client library? Is it freely available to developers?
We are in touch with Frank Siebenlist (Lead Security Architech from Globus) to integrate our OCSP client library (the Java version is only available at this time) into GT4.
Am I interpreting this correctly: "The client library will parse a chain of proxy certs in the correct RFC 2560 form (requestList &c) and create a RFC 2560 conforming OCSP query"?
Yes, that is correct.
We need to think about this, in terms of supporting proxy certs. Should we expect clients to distinguish proxy certs from EE or issuer certs? (I would answer "No", but they could.)
The client is the only one that can identify Proxy Certificates (in fact it is pretty easy to do with the CoG Java implementation) therefore releasing the OCSP server from such "customization".
We might have a lot of "unknown" status returns - the client will react to this how? (Possibly not well, given the recommended default.)
Exactly, that's why we recommended in our original email two possibles approaches to this problem: -From the client side: 1-If no "Revoked" status was received from the OCSP for the whole requestList then the Proxy Certificate is valid. This behaviour considers any RFC2560 compliant OCSP Server. -From the OCSP Server side: 1-A standard OCSP Server that does not support Proxy Certificates Revocation should always reply an "Unknown" status for such certificates. 2-An OCSP Server that does support Proxy Certificates Revocation (like CertiVeR where its database stores Proxy Certificates that have been revoked) will reply "Unknown" only if the Proxy Certificate has not been revoked.
Can we train trusted responders to return "Good" unless the proxy is revoked? Would this be a good thing to do? Why? (It sounds reasonable, but what about previous discussion of exhausted revocation information.) We need either to clear this up or clear up my misunderstanding :^)
It is not advisable because given an X509 Certificate, the OCSP Server does not have a secure mechanism to identify a Proxy Certificate. Best regards, -- ____________________ Jesus Luna Garcia PhD Student. Polytechnic University of Catalonia Barcelona, Spain jluna@ac.upc.edu