httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: mod_ssl OCSP questions
Date Fri, 30 Nov 2007 15:48:20 GMT
On Fri, Nov 30, 2007 at 10:34:28AM +0100, Marc Stern wrote:
> To be generic, we should be able to set some options based on the cert CA, 
> because we could use several types of certs (like when dealing with 
> national certs from European countries).

Having security policy decided based on a *regex match* against a 
textual representation of the issuer DN sounds pretty scary to me!

So the config options that are needed currently seem to be something 
like this:

  # select whether to validate the whole chain or just the EE cert
  SSLOCSPValidateWholeChain <flag>
  # set maximum time skew and age for response validity period
  SSLOCSPResponseWindow <skew-secs> <max-age-secs>
  # set CA certs for response signature verification
  SSLOCSPResponseCAFile <file>
  SSLOCSPResponseCAPath <directory>

These (and existing config options) could conceivably be wrapped into 
issuer-CA-specific containers in the configuration, like:

   <SSLOCSPValidationPolicy issuer-cert-file>
      SSLOCSPFoo on
   </SSLOCSPValidationPolicy>

which does some magic to allow selection of policy based on matching the 
EE's issuer DN against the DNs of the certs in the issuer-cert-file; but 
that's all blue sky stuff.

joe

Mime
View raw message