[SmartcardServices-Users] How can I specify alternate OCSP URL in OCS X?

Beck, Keith M CDR ACNO NGEN, OPNAV N099 keith.m.beck at navy.mil
Tue Jan 5 05:59:02 PST 2010


> Date: Mon, 04 Jan 2010 15:37:05 -0500
> From: "Shawn A. Geddis" <geddis at apple.com>
> To: Paul Kwan <paul.kwan at centrify.com>
> Cc: SmartcardServices-Users Group
> 	<smartcardservices-users at lists.macosforge.org>
> Subject: Re: [SmartcardServices-Users] How can I specify alternate
>	OCSP URL	in	OCS X?
>Message-ID: <D79F1050-DA34-4F6C-8C8D-4CC4294D5B90 at apple.com>
>Content-Type: text/plain; charset="us-ascii"
>
...
>
>Paul,
>
>No.  Mac OS X enforces what is in the certificate, because that is what
can
>be absolutely validated.
>
>There are third-party products which have incorporated additional
services
>to rewrite/process the Cert Revocation URI found in the Cert to a
>*configurable* URI -- allowing you to go from CRLDistribution Points to
AIA
>Extensions (for OCSP).
>__________________________________________________
>Shawn Geddis
geddis at mac.com
>Security Consulting Engineer

The certificate URI is fine for me.  Is there a way to accept an OCSP
reply when the responder is using a self-signed root and isn't in the
chain of trust for the certificate/CA? There is probably a good reason
to the DoD OCSP certificates, but OCSP always fails for me, causing the
huge delays for CRL download.

Keith


More information about the SmartcardServices-Users mailing list