Home > Archive > Java Security > April 2006 > How I can know what validation system must I use?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How I can know what validation system must I use?
|
|
| fealfu@gmail.com 2006-04-18, 4:05 am |
| Hi
I=B4m new in certificates and I=B4d like to know how I can Know if I must
validate a certificate with CRL o with OCSP.
I know I can find the CRL Distribution Point in extension 2.5.29.31
but it is not mandatory and I don=B4t know if exists a similar extension
for OCSP.
In other way I=B4d like to know if exists any way to validate a
Certificate and his issuer certificate, and his issuer certificate...
automatically, without validate one to one.
Thank you very much.
| |
| Ronny Schuetz 2006-04-18, 4:05 am |
| Hi,
regarding the subject: Worst case you need to support both revocation
check mechanisms: CRLs and OCSP.
> I know I can find the CRL Distribution Point in extension 2.5.29.31
> but it is not mandatory and I donīt know if exists a similar extension
> for OCSP.
The AuthorityInfoAccess extension can contain the URL for the respective
OCSP responder.
> In other way Iīd like to know if exists any way to validate a
> Certificate and his issuer certificate, and his issuer certificate...
> automatically, without validate one to one.
You may create a single OCSP request to check the status of multiple
certificates. For CRLs, its just a bunch of lookups to the same CRL. I'm
not aware of an automatic way, but that does not mean that there isn't one.
Best regards,
Ronny
| |
| Ronny Schuetz 2006-04-18, 8:10 am |
| > You may create a single OCSP request to check the status of multiple
> certificates. For CRLs, its just a bunch of lookups to the same CRL.
.... all assuming of course that the certificates to check refer to the
same CRL location resp. OCSP responder.
Ronny
|
|
|
|
|