[Pki-devel] [PATCH] 0051 Lightweight CAs: lookup correct issuer for OCSP responses
Ade Lee
alee at redhat.com
Thu Mar 3 20:35:39 UTC 2016
After clarification and discussions with cfu, ACK.
On Wed, 2016-03-02 at 15:13 +1000, Fraser Tweedale wrote:
> On Mon, Feb 22, 2016 at 12:02:49PM -0500, Ade Lee wrote:
> > Couple of comments ..
> >
> > 1. First off, there is a typo in the comments on the method. I
> > think
> > you mean ..
> >
> > 3. Either we WERE the issuing CA, or we .. rather than "were
> > not"
> >
> > 2. We can go with the heuristic of taking the first CA, but I do
> > not
> > think we should leak information about other certs if the CA is
> > incorrect. The way the code is now, we will still return data on
> > whether a particular cert serial number is valid -- even if that
> > cert
> > was not issued on that CA.
> >
> > A simple solution is to simply pass code to processRequest() to
> > ignore
> > the request if the issuer is not correct and not return a response
> > for
> > that request.
> >
> RFC 6960 says:
>
> The response MUST include a SingleResponse for each certificate
> in the request.
>
> So the best we can do is return 'unknown' status in this case.
>
> I've attached updated patch 0051-2 - the only change is the comment
> fixup - and two new patches: 0074 refactors digest lookup and adds
> support for SHA-2 algos, and 0075 changes the OCSP behaviour to
> return 'unknown' cert status for certs that from a different issuer.
>
> Cheers,
> Fraser
More information about the Pki-devel
mailing list