I am not clear on the use of the responder ID in the definition of the OCSP response.
I am doing OCSP checks via Java's PKIX APIs.
Using a third party library I get (during the OCSP response processing):
java.security.cert.CertPathValidatorException: Could not determine revocation status: ResponderID in response did not match responder certificate.
If I switch to the default provider (e.g. SUN), I get no such exception and the revocation check works fine.
Looking into this more, it seems that this exception is related to whether the identifier of the responder will use the key hash of the public key of the signing certificate or the subject of the signing certificate.
I do not know what is the difference though and why SUN's implementation does not have a problem with the OCSP response.
I do not 开发者_开发问答want to jump to conclusion and drop the other library before I understand what is going on here.
Could someone please help me understand what could be the problem here?
ResponderID allows the client find the certificate among the certificate(s) provided by the server OR, when the certificate is not provided, among the certificates stored locally on the client side.
精彩评论