Topic: [SOLVED] OCSP implementation for certificate chain
I have noticed that wolfSSL only performs OCSP checks on the leaf certificate, and not the entire chain. However, to really evaluate trust, doesn't the entire chain need to be checked? Are there plans to implement this?
My understanding of OCSP is that an OCSP responder will only vouch for the status of an individual certificate, regardless of the revocation status of each certificate in the signing chain. For example, suppose I am connecting to a server which has a certificate that has not been revoked but the certificate of the intermediate CA which signed the server's certificate has been revoked, if I ask an OCSP responder about the server's certificate, the responder may indicate that the server's certificate is valid when in fact that certificate should no longer be trusted because its signer was revoked. Or worse yet, if the signer's private key was stolen, the server's certificate could have been issued from the stolen private key with the OSCP responder information pointing to an OSCP responder run by the thief.
So it seems necessary to perform an OCSP check on the entire chain? The logic for how best to implement this is a bit hazy to me, since providing OSCP services is not mandatory and it is conceivable that it may not exist for some certificates in the chain.
Thanks