RFC 4806:Online Certificate Status Protocol (OCSP)...
RFC-Ref

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - X

OCSP

Click on the red underlined text to get to the source

1. Introduction
... trust. OCSP [RFC2560] offers a useful alternative. The size of an OCSP response is bounded and small and therefore suitable for in-band ...
... OCSP [RFC2560] offers a useful alternative. The size of an OCSP response is bounded and small and therefore suitable for in-band IKEv2 ...
... This document defines an extension to IKEv2 that enables the use of OCSP for in-band signaling of certificate ...
... A CERTREQ payload with "OCSP Content" identifies zero or more trusted OCSP responders ...
... payload with "OCSP Content" identifies zero or more trusted OCSP responders and is a request for inclusion of an OCSP response in ...
... OCSP responders and is a request for inclusion of an OCSP response in the IKEv2 handshake ...
... responds with a CERT payload containing the appropriate OCSP response. This content is recognizable via the same "OCSP Content" identifier ...
... CERT payload containing the appropriate OCSP response. This content is recognizable via the same "OCSP Content" identifier. ...


2. Terminology
... This document defines the following terms: OCSP request: An OCSP ...
... OCSP request: An OCSP request refers to the CERTREQ payload that contains a new ...
... payload that contains a new content encoding, referred to as OCSP Content, that conforms to the definition and behavior specified in Section 3.1. ...
... the definition and behavior specified in Section 3.1. OCSP response: An OCSP response ...
... OCSP response: An OCSP response refers to the CERT payload that contains a new ...
... payload that contains a new content encoding, referred to as OCSP Content, that conforms to the definition and behavior specified in Section 3.2. ...
... the definition and behavior specified in Section 3.2. OCSP responder: ...
... responder: The term OCSP responder refers to the entity that accepts requests ...
... responder refers to the entity that accepts requests from an OCSP client and returns responses as defined in [RFC2560]. ...
... client and returns responses as defined in [RFC2560]. Note that the OCSP responder does not refer to the party that sends the CERT ...


3. Extension Definition
... Certificate Encoding Value -------------------- ----- OCSP Content 14 ...
... OCSP Request ...
... A value of OCSP Content (14) in the Cert Encoding field of a CERTREQ ...
... CERTREQ Payload indicates the presence of zero or more OCSP responder certificate ...
... CA, indicating that the responder may issue OCSP responses for that CA ...
... hashes in the CERTREQ message is not needed since the OCSP response is signed by the CA who issued the certificate ...
... CA who issued the certificate. In case of (c), the OCSP response is signed by the CA Designated Responder ...
... CERTREQ message does not know the public key in advance. The presence of OCSP Content in a CERTREQ message will identify one or more OCSP ...
... OCSP Content in a CERTREQ message will identify one or more OCSP responders trusted by the sender ...
... sender in case of (b). The presence of OCSP Content (14) in a CERTREQ message: ...
... CERTREQ message: 1. identifies zero or more OCSP responders trusted by the sender; ...
... 2. notifies the recipient of sender's support for the OCSP extension to IKEv2; and ...
... 3. notifies the recipient of sender's desire to receive OCSP confirmation in a subsequent CERT payload ...
... OCSP Response ...
... A value of OCSP Content (14) in the Cert Encoding field of a CERT ...
... CERT Payload indicates the presence of an OCSP response in the Certificate Data field ...
... payload. Correlation between an OCSP response CERT payload and a corresponding ...
... payload carrying a certificate can be achieved by matching the OCSP response CertID field to the certificate. See [RFC2560] for the ...
... certificate. See [RFC2560] for the definition of OCSP response content. ...


4. Extension Requirements
... Request for OCSP Support ...
... hashes, if present, relates to the certificate of a trusted OCSP responder. ...
... responder. Therefore, an OCSP request, as defined in Section 3.1 above, is transmitted separate from any other CERTREQ payloads ...
... exchange. Where it is useful to identify more than one trusted OCSP responder, each such identification SHALL be concatenated in a manner identical ...
... The Certification Authority value in an OCSP request CERTREQ SHALL be computed and produced in a manner identical to that of trust anchor ...
... IKEv2]. Upon receipt of an OCSP response CERT payload corresponding to a ...
... CERT payload corresponding to a prior OCSP request CERTREQ, the CERTREQ sender ...
... CERTREQ sender SHALL incorporate the OCSP response into path validation logic defined by [RFC3280]. ...
... RFC3280]. Note that the lack of an OCSP response CERT payload after sending an ...
... CERT payload after sending an OCSP request CERT payload might be an indication that this OCSP ...
... OCSP request CERT payload might be an indication that this OCSP extension is not supported. As a result, it is recommended that nodes ...
... all peers do in fact support this extension. Otherwise, it is recommended that the nodes be configured to try OCSP and, if there is no response, attempt to determine certificate revocation status ...
... Response to OCSP Support ...
... Upon receipt of an OCSP request CERTREQ payload, the recipient SHOULD ...
... CERTREQ payload, the recipient SHOULD acquire the related OCSP-based assertion and produce and transmit an OCSP response CERT ...
... acquire the related OCSP-based assertion and produce and transmit an OCSP response CERT payload corresponding to the certificate ...
... payloads. An OCSP response CERT payload is transmitted separate from any other ...
... IKEv2 exchange. The means by which an OCSP response may be acquired for production of an OCSP response CERT ...
... The means by which an OCSP response may be acquired for production of an OCSP response CERT payload is out of scope of this document. ...
... The Certificate Data field of an OCSP response CERT payload SHALL ...


5. Examples and Discussion
... HDR, SAr1, KEr, Nr, CERTREQ(OCSP Request) (3) HDR, SK {IDi ...
... certificate),--> CERT(OCSP Response), CERTREQ(OCSP ...
... OCSP Response), CERTREQ(OCSP Request), [IDr,] AUTH ...
... certificate), CERT(OCSP Response), AUTH, SAr2 ...
... TSr} OCSP Extensions to Baseline IKEv2 ...
... In (2), Responder sends an OCSP request CERTREQ payload identifying ...
... CERTREQ payload identifying zero or more OCSP responders trusted by the Responder. In response, ...
... payload carrying its certificate and an OCSP response CERT payload covering that certificate ...
... certificate. In (3), Initiator also requests an OCSP response via the OCSP request CERTREQ ...
... Initiator also requests an OCSP response via the OCSP request CERTREQ payload ...
... Responder returns its certificate and a separate OCSP response CERT payload covering that certificate ...
... Initiator's certificate and therefore cannot form an OCSP request as defined in [RFC2560]. To bypass this ...
... problem, hashes are used as defined in Section 4.1. In such instances, OCSP Requests are simply index values into these data. Thus, it is easily inferred that OCSP responses ...
... OCSP Requests are simply index values into these data. Thus, it is easily inferred that OCSP responses can be produced in the absence of a corresponding request (provided that OCSP nonces ...
... Thus, it is easily inferred that OCSP responses can be produced in the absence of a corresponding request (provided that OCSP nonces are not used, see Section 6). ...
... It is also important in extending IKEv2 toward OCSP in this scenario that the Initiator has certain knowledge that the Responder ...
... Responder will only trust one or more OCSP responder signatures. ...
... responder signatures. These factors motivate the definition of OCSP responder hash extension. ...
... IPsec gateway. Note that OCSP is used for the certificate status check of the server side ...
... IDi, --> CERTREQ(OCSP Request), [IDr,] AUTH ...
... certificate), CERT(OCSP Response), AUTH, EAP ...
... TSr } OCSP Extensions to EAP in IKEv2 ...


6. Security Considerations
... For the reasons noted above, an OCSP request, as defined in Section 3.1, is used in place of an OCSP request syntax to trigger production ...
... For the reasons noted above, an OCSP request, as defined in Section 3.1, is used in place of an OCSP request syntax to trigger production and transmission of an OCSP response. OCSP ...
... 3.1, is used in place of an OCSP request syntax to trigger production and transmission of an OCSP response. OCSP, as defined in [RFC2560], ...
... OCSP request syntax to trigger production and transmission of an OCSP response. OCSP, as defined in [RFC2560], may contain a nonce ...
... replay attacks (see Section 4.4.1 of [RFC2560] for further details). The OCSP request defined by this document cannot accommodate nonces. [RFC2560 ...
... certificate has been revoked. Deployments of OCSP should carefully evaluate the benefit of precomputed responses against the probability of a replay attack ...
... replay attack and the costs associated with its successful execution." Nodes SHOULD make the required freshness of an OCSP response configurable. ...


7. IANA Considerations
... Encoding field of the Certificate Payload format. Official assignment of the "OCSP Content" extension to the Cert Encoding table of Section 3.6 of [IKEv2 ...
... Certificate Encoding Value -------------------- ----- OCSP Content 14 ...


9. Normative References
... Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560prop, June 1999. ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - X

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org