Since Proxy certs are the thorniest problem (& the principal one remaining that we know of), I will start with this. Jesus Luna writes:
In slide 4 of the presentation "OCSP-GGF15.ppt" three different OCSP discovery mechanisms are mentioned to validate user and Proxy Certificates; in this case we agree with them (in fact the first two are referenced in some way in secton "4.4 Responder discovery"), however it could be convenient to mention also the possibility of using the multicited OCSP Policy to accomplish such configuration at the relying
What is the "multicited OCSP policy"?
The third option "OCSP-signing proxy delegated to responder", could you elaborate more on this? We are not getting the idea behind such concept.
Here are the comments from the minutes: When proxy uses AIA extension (=URL added), have to provide intelligence to OCSP objects that identifies the appropriate response and ensures authority of signer is appropriate. Requires special software at OCSP level, or use some portion of AIA URL and make sure that OCSP signing certificate had corresponding name (yuck). Best way is for user to delegate a proxy cert to OCSP responder in such a way that the cert has OCSP signature info. Can have multiple URL's in one cert or proxy. Essentiallly this is a bucket of URL's and info on what will be found at these URLs (note not CRL's!). Clients can try these sequentially; some undefined logic is implied here. I think that is referring to the same item. What I am getting out of this, is an idea something like - create a service that manages a large number of delegate proxy OCSP responder certifiates, per user or per per proxy cert not clear. In fact it is not clear that that this is the only possible content, perhaps a referral to real OCSP service would be found at the end of it &c. I wasn't there & it's not my idea, so I am not sure about it. In an earlier meeting Olle discussed something similar but less developed (see minutes info posted earlier). Thanks, ==mwh