Mensaje citado por Mike Helm <helm@fionn.es.net>:
Is the recommendation one to the authors of OCSP client-side software or to proxy administrators?
I think that this should be addressed to OCSP architects in charge of deploying/planning the Grid-OCSP Responders ("please disable OCSP-service caching at HTTP-caches"). However this recommendation also could be useful for developers trying to figure out potential problems with their clients (the HTTP cache responding instead of the OCSP Responder).
It seems natural to take advantage of http proxies -- especially in those unfortunate circumstances where you have no other choice! Unless it's hopeless, but I don't see that from the example cited or from the RFC, but I definitely don't understand all the potential problems.
HTTP Proxying is useful, but the problem may arise from HTTP-caches were a misconfigured server may begin responding OCSP Requests instead of sending them to the OCSP Responder. I think that this is likely to happen when OCP Requests are being send over HTTP/1.0 (i.e. OpenSSL clients?). Regards, Jesus