Re: [Pki-devel] [PATCH] 0051 Lightweight CAs: lookup correct issuer for OCSP responses

On Mon, Feb 22, 2016 at 12:02:49PM -0500, Ade Lee wrote: > Couple of comments .. > > 1. First off, there is a typo in the comments on the method. I > think > you mean .. > > 3. Either we WERE the issuing CA, or we .. rather than "were > not" > > 2. We can go with the heuristic of taking the first CA, but I do > not > think we should leak information about other certs if the CA is > incorrect. The way the code is now, we will still return data on > whether a particular cert serial number is valid -- even if that > cert > was not issued on that CA. > > A simple solution is to simply pass code to processRequest() to > ignore > the request if the issuer is not correct and not return a response > for > that request. > RFC 6960 says: The response MUST include a SingleResponse for each certificate in the request. So the best we can do is return 'unknown' status in this case. I've attached updated patch 0051-2 - the only change is the comment fixup - and two new patches: 0074 refactors digest lookup and adds support for SHA-2 algos, and 0075 changes the OCSP behaviour to return 'unknown' cert status for certs that from a different issuer. Cheers, Fraser