Which OCSP responder to trust?
Hello again, In slide 4 of the presentation "OCSP-GGF15.ppt" three different OCSP discovery mechanisms are mentioned to validate user and Proxy Certificates; in this case we agree with them (in fact the first two are referenced in some way in secton "4.4 Responder discovery"), however it could be convenient to mention also the possibility of using the multicited OCSP Policy to accomplish such configuration at the relying party. The third option "OCSP-signing proxy delegated to responder", could you elaborate more on this? We are not getting the idea behind such concept. Regards (one more time!), Oscar & Jesus
Since Proxy certs are the thorniest problem (& the principal one remaining that we know of), I will start with this. Jesus Luna writes:
In slide 4 of the presentation "OCSP-GGF15.ppt" three different OCSP discovery mechanisms are mentioned to validate user and Proxy Certificates; in this case we agree with them (in fact the first two are referenced in some way in secton "4.4 Responder discovery"), however it could be convenient to mention also the possibility of using the multicited OCSP Policy to accomplish such configuration at the relying
What is the "multicited OCSP policy"?
The third option "OCSP-signing proxy delegated to responder", could you elaborate more on this? We are not getting the idea behind such concept.
Here are the comments from the minutes: When proxy uses AIA extension (=URL added), have to provide intelligence to OCSP objects that identifies the appropriate response and ensures authority of signer is appropriate. Requires special software at OCSP level, or use some portion of AIA URL and make sure that OCSP signing certificate had corresponding name (yuck). Best way is for user to delegate a proxy cert to OCSP responder in such a way that the cert has OCSP signature info. Can have multiple URL's in one cert or proxy. Essentiallly this is a bucket of URL's and info on what will be found at these URLs (note not CRL's!). Clients can try these sequentially; some undefined logic is implied here. I think that is referring to the same item. What I am getting out of this, is an idea something like - create a service that manages a large number of delegate proxy OCSP responder certifiates, per user or per per proxy cert not clear. In fact it is not clear that that this is the only possible content, perhaps a referral to real OCSP service would be found at the end of it &c. I wasn't there & it's not my idea, so I am not sure about it. In an earlier meeting Olle discussed something similar but less developed (see minutes info posted earlier). Thanks, ==mwh
Hol@ all, Before replying to Mike's last email I'd like to take the chance and elaborate a little about the OCSP Policy mentioned in the following text.... Mike Helm wrote:
Jesus Luna writes:
In slide 4 of the presentation "OCSP-GGF15.ppt" three different OCSP discovery mechanisms are mentioned to validate user and Proxy Certificates; in this case we agree with them (in fact the first two are referenced in some way in secton "4.4 Responder discovery"), however it could be convenient to mention also the possibility of using the multicited OCSP Policy to accomplish such configuration at the relying
What is the "multicited OCSP policy"?
In this document we have been referencing a way to configure the set of Grid OCSP options to use in these environments. According to section "9. Other considerations", such rules could be contained into what we have mentioned in our response as "OCSP policy" and furthermore has been implemented in OGRO as the "OCSP Validation Policy" which is explained in the following page: http://globus-grid.certiver.com/info/ogro/download.html Under the header: "Building customized OCSP Validation Policies in OGRO" We have found it to be a good option to customize the behaviour of your Grid OCSP client taking into consideration all the parameters that "play in this field". Such policy is still "in diapers" (as we use to say in spanish!) which means that it is in a very, very early stage and furthermore the version in the Web page doesn't contain the "prevalidation" concept mentioned in one of our previous emails, however we expect to further enhance it as community comments arrive ;) Salut, -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> o o o Jesus Luna Garcia | Polytechnic University of Catalonia o o o PhD Student | Department of Computer Architecture o o o phone: +34 93 401 7187 | Campus Nord. www.ac.upc.es U P C fax: +34 93 401 7055 | C/Jordi Girona 1-3, Modul D6-116 E-mail: jluna@ac.upc.es | Barcelona 08034 SPAIN <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
participants (2)
-
Jesus Luna
-
Mike Helm