Date: Mon, 04 Jan 2010 15:37:05 -0500 From: "Shawn A. Geddis" <geddis@apple.com> To: Paul Kwan <paul.kwan@centrify.com> Cc: SmartcardServices-Users Group <smartcardservices-users@lists.macosforge.org> Subject: Re: [SmartcardServices-Users] How can I specify alternate OCSP URL in OCS X? Message-ID: <D79F1050-DA34-4F6C-8C8D-4CC4294D5B90@apple.com> Content-Type: text/plain; charset="us-ascii"

...

Paul,

No. Mac OS X enforces what is in the certificate, because that is what

can

be absolutely validated.

There are third-party products which have incorporated additional services to rewrite/process the Cert Revocation URI found in the Cert to a *configurable* URI -- allowing you to go from CRLDistribution Points to AIA Extensions (for OCSP). __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer

The certificate URI is fine for me. Is there a way to accept an OCSP reply when the responder is using a self-signed root and isn't in the chain of trust for the certificate/CA? There is probably a good reason to the DoD OCSP certificates, but OCSP always fails for me, causing the huge delays for CRL download. Keith