OCSP Trust Chain / Issuing CA's (i.e., stop requiring end-entity responder certs)

Idea created by CBertagnolli Champion on Mar 11, 2015
    Under review
    • Hubert Dennis
    • Huned Rangwala
    • j_possel
    • jmadderra
    • CBertagnolli
    • Josh Perlmutter
    • Mukund Kalidasa Mallar

    Problem Description

    OCSP end-entity responder certificates are required to be stored locally to support OCSP validation; even when supplied the public certificate it does not walk the chain and requires a direct certificate comparison/validation.


    Problem Impact

    Utilization of CA SSO OCSP certificate validation is unmanageable due to operational overhead maintaining the end-entity certificates. This is especially difficult when supporting certificates/smartcards which may be issued by some external issuer that you trust; the end-point certificates are not generally distributed and often have very short lifetimes (i.e., 30-90 days); a single external end-point may also consist of numerous certificates in a load balanced environment. However, the issuing CA chains are published, known, and multi-year expirations.


    Even internally it is unnecessary and counter to common PKI practice to require the end-entity certificates.


    Requested Functionality
    The product should take the public certificate that was presented as part of the response, build the chain by following the AIA entries in the certificate and make sure that it terminates at a root that was chosen to be trusted. If this is successful, then validation passes and the OCSP response is considered 'trusted'.