3

I am building OCSP responder and I need to issue OCSP Signer certificate from CA that will be used to sign OCSP responses.

In a definition of certificate profile for OCSP Signer certificate, should I define CRL distribution points or AIA OCSP URI?

As for OCSP URI I think it does not make any sense as it would be pointing to the same URI where responses with the same OCSP certificate are signed. Then I can't trust OCSP response when asking if the OCSP Signer certificate is valid.

Using CRL distribution points may be usefull so anyone can check if the OCSP Signer certificate is valid through different path (channel).

Does it make sense for the OCSP Signed certificate to include CRL distibution points and OCSP URI?

user1563721
  • 1,099
  • 11
  • 22

1 Answers1

3

In a definition of certificate profile for OCSP Signer certificate, should I define CRL distribution points or AIA OCSP URI?

RFC 6960 allows such configuration, however in practice there is no real benefit, because you will have other 3rd party source to validate OCSP signing certificate. When OCSP signing certificate includes id-pkix-ocsp-nocheck certificate extension, it is not validated for revocation.

Crypt32
  • 5,750
  • 12
  • 24
  • is it a good practice to include `id-pkix-ocsp-nocheck` certificate extension or to include CRL distribution point? – user1563721 Dec 20 '16 at 12:21
  • It is recommended to include `id-pkix-ocsp-nocheck` extension and do not include CDP/AIA extensions at all. – Crypt32 Dec 20 '16 at 13:21