5

I am not clear on the use of the responder ID in the definition of the OCSP response.

I am doing OCSP checks via Java's PKIX APIs.

Using a third party library I get (during the OCSP response processing):

java.security.cert.CertPathValidatorException: Could not determine revocation status: ResponderID in response did not match responder certificate.

If I switch to the default provider (e.g. SUN), I get no such exception and the revocation check works fine.

Looking into this more, it seems that this exception is related to whether the identifier of the responder will use the key hash of the public key of the signing certificate or the subject of the signing certificate.

I do not know what is the difference though and why SUN's implementation does not have a problem with the OCSP response.

I do not want to jump to conclusion and drop the other library before I understand what is going on here.

Could someone please help me understand what could be the problem here?

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210
Cratylus
  • 52,998
  • 69
  • 209
  • 339
  • I guess you need to contact the library vendor for support rather than ask such a vague question here. – Eugene Mayevski 'Callback May 09 '11 at 06:49
  • @Eugene:The gist of the question is what is the use of the responder id of the OCSP response, because from the RFC, I am not sure what is the use and if it there is specific expectations on it – Cratylus May 09 '11 at 11:43

1 Answers1

1

ResponderID allows the client find the certificate among the certificate(s) provided by the server OR, when the certificate is not provided, among the certificates stored locally on the client side.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • In this context then, I notice that the exception depends on whether I have configured the OCSP to include the keyhash of the signing certificate or the subject of the signing certificate.It seems that the expectation is to be the subject of the signing certificate.But as I understand it, both configurations are valid, right? – Cratylus May 09 '11 at 19:35
  • @user384706 yes, both are valid and the issue is with the third-party library, so my initial advice remains - "contact the library vendor". – Eugene Mayevski 'Callback May 10 '11 at 07:27