"Cowles, Robert D." writes:
Following up on discussions at the EUgridPMA and post-meeting discussiions, I'm really nervous about the fragility of a network of OCSP responders.... that's just for the CA's and doesn't really address the issue that Mike raises of how we set
I think I have mentioned this here, but certainly at SLCCC and OSG consortium, that some deployment scenarios for OCSP may not improve the situation we have now. They would replace an individual relationship with a CA and a local CRL file that had to be updated, with an individual relationship with a CA, and a (usually) networked-based URL that would have to be checked. On the face of it that might be worse, since network overhead and partitioning might cause problems; but the devil is in the details. To me this suggests you wind up with both: OCSP for more real-time and caching data, CRLs for backup. However, we have argued out this scenario and counters to it, and a lot of that has dropped out of the paper as a result. But see sections 4.2 and figure 1 in section 7. I think I can say we are recommending a site, and/or VO, clearinghouse trusted responder; strongly enough? But to build that we are probably going to have to start with something more general. It seems to me the foundation for this is getting CA's to each establish an OCSP responder, provide some mechanism for registering proxy revocations, and stamping their EE certs with the CA's responder URL. Organizations can build their own responders based on this info, instruct their clients as they see fit, and identity providers who need to serve many different communities don't have to make exceptions for each.