Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP stapling for "ProviderAuthority" objects #4

Open
cyberphone opened this issue Oct 29, 2017 · 0 comments
Open

OCSP stapling for "ProviderAuthority" objects #4

cyberphone opened this issue Oct 29, 2017 · 0 comments

Comments

@cyberphone
Copy link
Owner

cyberphone commented Oct 29, 2017
edited
Loading

It would be cool having a mandatory OCSP response for the EE-certificate stapled to the signature object. The OCSP object must minimally be valid for the timeStamp event of the ProviderAuthority object. EE-certificates must anyway contain an OCSP locator entry.

For possible CA certificates in the path, it should en sufficient if they are equipped with standard CRL locators.

{
    "@context": "http://webpki.org/saturn/v3",
    "@qualifier": "ProviderAuthority",
    "httpVersion": "HTTP/1.1",
    "authorityUrl": "https://mobilepki.org/webpay-payeebank/authority",
    "homePage": "https://mobilepki.org/webpay-payeebank",
    "serviceUrl": "https://mobilepki.org/webpay-payeebank/service",
    "extensions": {
        "http://webpki.org/saturn/v3/extensions#refund": "https://mobilepki.org/webpay-payeebank/refund"
    },
    "paymentMethods": ["https://sepa.payments.org","https://ultragiro.se"],
    "signatureProfiles": ["http://webpki.org/saturn/v3/signatures#P-256.ES256"],
    "encryptionParameters": [{
        "dataEncryptionAlgorithm": "A128CBC-HS256",
        "keyEncryptionAlgorithm": "ECDH-ES",
        "publicKey": {
            "kty": "EC",
            "crv": "P-256",
            "x": "DOOwVwUyNdgu4dZ9Ej7pg9j4SDLfGlrzoWso2DIz6ts",
            "y": "WF7ZApRPkbigS4iNoz5-SgPYU-_4891TwHJr-fU4d1w"
        }
    }],
    "timeStamp": "2017-12-13T06:19:06Z",
    "expires": "2017-12-13T07:19:07Z",
    "signature": {
        "algorithm": "ES256",
        "signerCertificate": {
            "issuer": "CN=Payment Network Sub CA3,C=EU",
            "serialNumber": "1461174554959",
            "subject": "CN=Big Bank,2.5.4.5=#1306383936363430,C=DE"
        },
        "certificatePath": [
            "MIIETTCCAjWgAwIBAgI .... BMgfG-zS3jZBeAaEw",
            "MIIFOjCCAyKgAwIBA .... nsb7HivNVd17ASOCFIqw"
        ],
        "extensions": {
            "ocspResponse": "PxlJQu9Q6dOvM4LKo .... pdcLkvKfBfQk11Sb0"
        },
        "value": "UYwFOodf0qupJtg .... 0rJB_EtXKPWobb4g3Q"
    }
}

That is, "extensions" contains a Saturn-defined "ocspResponse" property holding a Base64URL encoded OCSP response object.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cyberphone