CAcert Code Development list.

[Wytze van der Raay <wytze AT cacert.org>]

Hi Michael,

On 14.12.2011 15:38, Michael Tänzer wrote:
> Picking up the topic of building OCSP responders not directly operated
> by CAcert using a cache of predistributed responses to compensate
> failures of the main OCSP server:
> 
> We had some discussion in the Software Assessment Team about the
> validity of the OCSP responses:
> 10 minutes is definitely too short, competitors range from 2 days to 7
> days. So our recommendation is to use 2 days, (my personal opinion is
> that 3 days might be acceptable too if we gain anything by that).

OK, I've adjusted the setting now.

> What OCSP responder software do we currently use?

We use the OpenCA OCSP responder: openca-ocspd-1.9.0.tar, with a couple of
local patches that you can find in our SVN:
http://svn.cacert.org/CAcert/SystemAdministration/ocsp/home/software/ocspd/patch.cacert

> The only thing I found that may be somewhat suitable is the OCSP
> responder from EJBCA but even that one would require major adjustments
> on our side (and it requires the bulky EJB) and I'm not sure whether the
> additional OCSP responders are actually slaves and don't require an OCSP
> cert of their own or if they are just additional OCSP servers. So maybe
> there is no way around coding our own solution.

We'll have to see ... right now I have no time to look into it.

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature