CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

Philipp Gühring schreef op 23-10-2013 19:52:
>>  165938 ocspd/1.0
> 
> That´s from OpenCA. Hmm, but why so many of them? I did not expect many
> people actually using it.

It's not ...

>>   43549 Microsoft-CryptoAPI/6.1
>>   35210 ocspd/1.0.1
>>   29081 -
>>    9968 Microsoft-CryptoAPI/5.131.3790.3959
>>    9480 Mikrotik/6.x Fetch
>>    8648 ocspd (unknown version) CFNetwork/520.5.1 Darwin/11.4.2
>> (x86_64)
>> (iMac12%2C2)
> 
> Oh, it seems that Apple is using ocspd, but it could be a differnet one
> than OpenCA ocspd.

Some piece of Apple software is the culprit here  I think ...

Not only do we see this huge amount of crl.cacert.org traffic,
but also on the main webserver we are seeing that over 2/3 of
the requests are for /ca.crt, the CAcert root certificate
(fortunately that is a small file). The agent string displayed
for (again) about 2/3 of these cases is something like
"securityd (unknown version) CFNetwork/672.0.2 Darwin/14.0.0".
And another 11% has "ocspd/1.0" or similar as agent string.

Does someone on this list know more about the inner workings of
Apple's securityd and associated software? Is it configurable
somehow, to reduce the amount of redundant lookups? It's nice
that CAcert is popular with Apple users, but this popularity
seems to carry a rather high price.

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening