Re: [TLS] Security of CertificateStatus?

To: tls at lists.ietf.org
Subject: Re: [TLS] Security of CertificateStatus?
From: Mike <mike-list at pobox.com>
Date: Sat, 17 Feb 2007 09:58:27 -0800
In-reply-to: <200702171807.34284.bradh@frogmouth.net>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <45D5F218.8010409@pobox.com> <200702171807.34284.bradh@frogmouth.net>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

You either need to validate the chain (plus CRL), or you need OCSP, not both. Either allows you to tell if the certificate presented by the server is valid. If the certificate is valid, you can "trust" the server.


When I validate a typical certificate chain, my code ends up
retrieving up to 4 CRLs since the CRLs of intermediate CAs
need to be checked too.  Does the single OCSP response also
validate these intermediate CA certificates?

Mike

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Security of CertificateStatus?
  - From: Mike

Prev by Date: [TLS] Security of CertificateStatus?
Next by Date: [TLS] Authorization extension test server available
Previous by thread: [TLS] Security of CertificateStatus?
Next by thread: [TLS] Authorization extension test server available
Index(es):
- Date
- Thread

Re: [TLS] Security of CertificateStatus?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.