Confirmed users, Administrators
5,526
edits
CA/OCSP-TrustedResponder: Difference between revisions
m
→OCSP Trusted Responder Mode
(Created page with '== OCSP Trusted Responder Mode == When an issuer's OCSP responder uses a self-signed OCSP responder certificate, it does not meet the criteria of RFC 2560, except when used as t…') |
|||
| Line 1: | Line 1: | ||
When an issuer's OCSP responder uses a self-signed OCSP responder certificate, it does not meet the criteria of RFC 2560, except when used as the exclusive trusted locally-configured OCSP responder, designated by the relying party. This is known as Trusted Responder Mode. | When an issuer's OCSP responder uses a self-signed OCSP responder certificate, it does not meet the criteria of RFC 2560, except when used as the exclusive trusted locally-configured OCSP responder, designated by the relying party. This is known as Trusted Responder Mode. | ||
| Line 6: | Line 4: | ||
responder be the ONLY EXCLUSIVE OCSP responder that Firefox will trust, and hence configuring Firefox to use one CA's OCSP responder as the trusted OCSP responder is ONLY helpful to users who are ONLY going to visit sites whose certs were issued by that CA. | responder be the ONLY EXCLUSIVE OCSP responder that Firefox will trust, and hence configuring Firefox to use one CA's OCSP responder as the trusted OCSP responder is ONLY helpful to users who are ONLY going to visit sites whose certs were issued by that CA. | ||
== Details == | |||
The OCSP RFC allows the relying party (the USER, not a CA) to create an OCSP server of his own, to which he will send all of his OCSP requests. This OCSP responder will sign its own responses, and the relying party will check that the responses have the correct signature by checking them with the responder's own certificate, which the relying party has explicitly configured and trusted for that purpose. | The OCSP RFC allows the relying party (the USER, not a CA) to create an OCSP server of his own, to which he will send all of his OCSP requests. This OCSP responder will sign its own responses, and the relying party will check that the responses have the correct signature by checking them with the responder's own certificate, which the relying party has explicitly configured and trusted for that purpose. | ||