Questions about OCSP issuer request

David-DiSiD Technologies · October 24th, 2006, 03:47 AM

Hi!

When I create a OCSPRequest, I must use the issuer certificate [issuerCert] of certificate to evaluate [certToVal] but... which issuerCert must be used:

[1] The certificate that appears in "issuer" field of certToVal?

[2] The certificate that appears in AuthorityKeyIdentifier extension (OID = 2.5.29.35 [http://www.alvestrand.no/objectid/2.5.29.35.html]) of certToVal?

[3] The certificate that appears in "id-ad-caIssuer" field (OID = 1.3.6.1.5.5.7.48.2 [http://www.alvestrand.no/objectid/1....5.7.48.2.html]) of "authorityInfoAccess" extension (OID = 1.3.6.1.5.5.7.1.1 [http://www.alvestrand.no/objectid/1.....5.7.1.1.html]) of certToVal?

[4] The CArootCertificate?

Another question: if I want evaluate a certificate chain [certPath formed by three certificates, for example: by signerCert, an intermediate certificate and a CAroot certificate], I must use the same issuerCert for each certificate? I that case, which issuerCert I must use?

Thanks!!

---------------

David Cervera-PÃ©rez
DiSiD Technologies
Valencia - Spain
www.disid.com

dgh · October 25th, 2006, 08:59 PM

Sorry, I'm a little confused - there's no certToVal field in RFC 2560 can you tell me a little more about what you're trying to do?

With the second question, the CA certificate must be the issuer of the intermediate certificate, and the intermediate certificate must be the issuer of signerCert.

Regards,

David

David-DiSiD Technologies · October 26th, 2006, 02:03 AM

Sorry, I will try to explain it better.

In the context of OCSP comunication, when I construct a CertID for OCSP request I must use the certificate to evaluate (that I called certToVal) and its issuer certificate (that I called issuerCert).

My first question: when we talked about the issuer certificate of the certificate to evaluate, we talked about:

[1] The certificate that corresponds with the field âIssuerâ of the certificate to evaluate?

[2] The certificate that appears in AuthorityKeyIdentifier extension of certificate to evaluate?

[3] The certificate that appears in field "id-ad-caIssuer" of "authorityInfoAccess" extension of certificate to evaluate?

[4] The CA certificate?

(( I was sure that [1] was the suitable answer, because in Chapter 7 as in RFC 2560 is explained thus, but I have this doubt because in a test certificate the issuer certificate that it had to use to create CertID of OCSP request (and to obtain an OCSP response) was the corresponding one to [3] ))

Thanks you very much.

---------------

David Cervera-PÃ©rez
DiSiD Technologies
Valencia - Spain
www.disid.com

dgh · October 27th, 2006, 01:47 AM

Okay, my understanding of this one is that if id-ad-caIssuer is present it specifies where to look for the issuer of the certificate that was the one that issued the certificate you're looking at. So the situation you've described would make sense if you were evaluating the issuer certificate (so given certVal has the extension, evaluating it's issuer certificate might require using the information in the extension). Is that what happened?

If it's any help there's a fairly lengthy description on this one in section 4.2.2.1 of RFC 3280.

Regards,

David

David-DiSiD Technologies · October 27th, 2006, 05:12 AM

Yes, that is what it happens.

Thanks for your aid and congratulations for your book!

Regards.

-------------

David Cervera-PÃ©rez
DiSiD Technologies
Valencia - Spain
www.disid.com