Thanks a million for your warning Milan! On the new installation of the service we forgot to configure Apache in order to stop this problem from happening. Sorry for that. We have arranged this problem and also another one involving the https configuration... Although for the moment we are only using a single certificate for all the virtual hosts... In any case, now you shoudln't have problems by accessing the service using OpenSSL. On the other hand, I would like to remind you that we can set the responder on Authorized mode for any CA interested. You just need to get in touch with us and we'll send you our PKCS request so that you can generate the corresponding OCSP Response certificate. In this respect, during the last meeting Milan was worried about the problem involved in revoking one of those certificates given the fact that they all share the same private key. After discussing it a little with my colleagues, we do not see so much of a problem considering the fact that, in the end of the day, even though all the certificates share the same key, they are all different because each of them has been signed by each CA. Therefore, we consider that it is up to each CA to revoke such certificate whenever they feel that it is unsafe. Of course, in case of compromising the private key, CertiVeR would inmediate notify to all its partners such fact so that they can publish the corresponding CRL. The only problem with such method is that the client process (such as the one implemented by OGRO) should validate the status of the corresponding OCSP Signing certificate against the corresponding CRLs... which involves problems of efficiency on the client side... there is no silver bullet here. Any other suggestions? Enjoy your meeting! And well, hopefully see you next time! Oscar
-----Mensaje original----- De: owner-caops-wg@ggf.org [mailto:owner-caops-wg@ggf.org] En nombre de Milan Sova Enviado el: sábado, 01 de octubre de 2005 14:32 Para: Jesus Luna CC: caops-wg@ggf.org; Oscar Manso; Manel Medina Asunto: Re: [caops-wg] The Open GRid Ocsp -OGRO- client has been launched!
Hi Jesus. Jesus Luna wrote:
Dear all, We really sorry for not being able to attend the next GGF meeting, but
Sorry for that...
on the other hand a couple of weeks ago we hosted here in Barcelona TERENA's TF-EMC2 meeting (presentations can be found in
ml) and we had the opportunity to introduce CertiVeR's OCSP validation infrastructure for Grids. Such system is composed of two elements:
-In first place an OCSP Service which is currently configured as a Trusted/Authorized Responder for several Grid PKIs. As mentioned in TERENA's meeting, at this moment such service is being tested (Pilot Phase) and offered free of charge for those CAs whishing to use it. The list of CAs being served will grow in the next days, so
http://www.terena.nl/tech/task-forces/tf-emc2/meetings/sep05/agenda.ht please let
us know your comments or questions about it. More information about the service can be obtained from: http://globus-grid.certiver.com/info/
Good job. Thank you.
Just one small request: It seems that the HTTP server at (tacar|globus-grid).certiver.com cannot handle OCSP requests via HTTP/1.0 (no Host: header in the HTTP request). Unfortunately it severely limits usage of OpenSSL command-line ocsp client (which I usually use for testing) - it gets "400 Not Found" reponse to ent request. Could it be possible to reconfigure the HTTP server so that it would dispatch the requests based on some other criteria than the virtual host name? Maybe something like http://www.certiver.com/tacar-ocsp/ and http://www.certiver.com/grid-ocsp/ could do the job.
Thanks again.
Regards -- Milan Sova sova@cesnet.cz