Discuss this help topic in SecureBlackbox Forum
TElX509CertificateValidator.OnOCSPResponseSignerValid
The event is triggered when the signer certificate of the OCSP response is neither a CA certificate itself nor issued (signed) by this certificate.
Declaration
Parameters
Description
According to RFC 6960 the OCSP response must be signed by either the CA certificate (the one used to sign the certificate being checked) or by dedicated certificate, which in turn was signed with the CA certificate. However, the RFC declares the exclusion which makes all other conditions void: the certificate can be used for signing when it ‘Matches a local configuration of OCSP signing authority for the certificate in question’. Of course, there's no way for the client to verify, using regular means, that the used certificate matches some mythical configuration. So it is up to the application to decide whether such signature may be accepted.