On Nov 16, 2009, at 12:46 PM, Yngve Nysaeter Pettersen wrote: > Basic problem with a HTTPS OCSP responder: Validating the responder's own > certificate. If the certificate specify the OCSP responder itself as a the > validator for its own certificate there is a infinite loop problem. > > Solution: Certificates for OCSP responders must not specify OCSP URIs, > only CRLs. Simpler: OCSP responder SSL certs assert id-pkix-ocsp-nocheck. -- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.