Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate Status extension

[Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>]

On 04/08/2010 23:04, Rob Stradling wrote:
> On Wednesday 04 August 2010 15:40:05 Yngve Nysaeter Pettersen wrote:
>> On Tue, 03 Aug 2010 21:46:38 +0200, Rob Stradling
>>
>> <rob.stradling@comodo.com> wrote:
>>> In another thread, Kyle H today wrote:
>>> "...why not change the ASN.1 to allow for multiple individual responses
>>> in a
>>> SEQUENCE or SET?"
>>
>> I suspect that this is about responses for multiple certificates for the
>> same issuer.
> 
> I suspect not.  BasicOCSPResponse already allows a single Response to contain 
> status information about multiple certificates for the same issuer.
> 
> In fact, BasicOCSPResponse already allows a single Response to contain status 
> information about multiple certificates from *multiple issuers*.  The problem, 
> of course, is that a BasicOCSPResponse may only be signed by a single entity, 
> so this kind of Response could only ever be useful in a "local configuration 
> of OCSP signing authority" (RFC 2560 section 4.2.2.2 option 1) context.
> 

I can recall this being mentioned before and the possibility was mentioned that
it might be permitted if you had the same public key in multiple delegated
signer certificates for each issuer.

I'm not sure how many OCSP clients would correctly handle that case, the current
OpenSSL OCSP code can't for one.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.