cacert-devel - OCSP caching etc.

Subject: CAcert Code Development list.

List archive

OCSP caching etc.

From: Michael Tänzer <michael.taenzer AT cacert.org>
To: "critical-admin AT cacert.org" <critical-admin AT cacert.org>, cacert-devel AT lists.cacert.org
Subject: OCSP caching etc.
Date: Wed, 14 Dec 2011 15:38:56 +0100
Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
Openpgp: id=9940BEF1

Hi guys,

Picking up the topic of building OCSP responders not directly operated
by CAcert using a cache of predistributed responses to compensate
failures of the main OCSP server:

We had some discussion in the Software Assessment Team about the
validity of the OCSP responses:
10 minutes is definitely too short, competitors range from 2 days to 7
days. So our recommendation is to use 2 days, (my personal opinion is
that 3 days might be acceptable too if we gain anything by that).

What OCSP responder software do we currently use?
The only thing I found that may be somewhat suitable is the OCSP
responder from EJBCA but even that one would require major adjustments
on our side (and it requires the bulky EJB) and I'm not sure whether the
additional OCSP responders are actually slaves and don't require an OCSP
cert of their own or if they are just additional OCSP servers. So maybe
there is no way around coding our own solution.

--
Have fun,
Michael Tänzer

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

OCSP caching etc., Michael Tänzer, 12/14/2011
- Re: OCSP caching etc., Michael Tänzer, 12/14/2011
- Re: OCSP caching etc., Wytze van der Raay, 12/16/2011
  - Re: OCSP caching etc. [resent], Wytze van der Raay, 12/23/2011
  - Message not available
    - Re: OCSP caching etc., Michael Tänzer, 12/23/2011
      - Re: OCSP caching etc., Wytze van der Raay, 12/24/2011
        
        Re: OCSP caching etc., Michael Tänzer, 12/24/2011
        
        Re: OCSP caching etc., Wytze van der Raay, 12/27/2011

List archive

OCSP caching etc.