Mike Helm <helm@fionn.es.net> wrote:
Jim Basney writes:
One comment I'll make is the MyProxy example in the appendix is odd considering the recommendation elsewhere in the document not to include proxy certificates in OCSP requests.
Amen!
what's the general capability of the myproxy ocsp client, or its intended application &c? thanks, ==mwh
In an upcoming MyProxy release, it will be possible to configure the myproxy-server to check certificate status via OCSP for stored credentials before delegating a proxy certificate from those credentials.
Do you have any UI for altering the OCSP-reported status of certs in the myproxy server's store? If so, how does this work, or how do you think it should work in general? I think this is appropriate to understand (and relevant to this document), because if we should want to generalize this idea to other kinds of certificate management, we should also want to provide the same kinds of interfaces for cert revocation everywhere.
Note that I wrote that MyProxy will *check* certificate status via OCSP, not *report* certificate status via OCSP. The myproxy-server will query an external OCSP service, not provide an OCSP service itself. The management interface to the OCSP service is out of scope for MyProxy. -Jim