Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the use of the responderID in the OCSP response?

I am not clear on the use of the responder ID in the definition of the OCSP response.

I am doing OCSP checks via Java's PKIX APIs.

Using a third party library I get (during the OCSP response processing):

java.security.cert.CertPathValidatorException: Could not determine revocation status: ResponderID in response did not match responder certificate.

If I switch to the default provider (e.g. SUN), I get no such exception and the revocation check works fine.

Looking into this more, it seems that this exception is related to whether the identifier of the responder will use the key hash of the public key of the signing certificate or the subject of the signing certificate.

I do not know what is the difference though and why SUN's implementation does not have a problem with the OCSP response.

I do not want to jump to conclusion and drop the other library before I understand what is going on here.

Could someone please help me understand what could be the problem here?

like image 270
Cratylus Avatar asked Nov 14 '22 23:11

Cratylus


1 Answers

ResponderID allows the client find the certificate among the certificate(s) provided by the server OR, when the certificate is not provided, among the certificates stored locally on the client side.

like image 190
Eugene Mayevski 'Callback Avatar answered Dec 17 '22 16:12

Eugene Mayevski 'Callback