search

cabforum / servercert

Repository for the CA/Browser Forum Server Certificate Chartered Working Group
https://cabforum.org/working-groups/scwg/
134 stars 105 forks source link

Correct the reasons for not needing the AIA in OCSP certificates #480

Open hablutzel1 opened 7 months ago

hablutzel1 commented 7 months ago

From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:

4.1.1. ASN.1 Specification of the OCSP Request ... CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -- Hash of issuer's DN issuerKeyHash OCTET STRING, -- Hash of issuer's public key serialNumber CertificateSerialNumber } ... The contents of CertID include the following fields: ... o issuerNameHash is the hash of the issuer's distinguished name (DN). The hash shall be calculated over the DER encoding of the issuer's name field in the certificate being checked. o issuerKeyHash is the hash of the issuer's public key. The hash shall be calculated over the value (excluding tag and length) of the subject public key field in the issuer's certificate. o serialNumber is the serial number of the certificate for which status is being requested.

From https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2.1:

4.2.2.2.1. Revocation Checking of an Authorized Responder ...

  • A CA may specify that an OCSP client can trust a responder for the lifetime of the responder's certificate. The CA does so by including the extension id-pkix-ocsp-nocheck.