Dear all, A couple of days ago we had an issue with the OCSP Responder and an OpenSSL user, where the OCSP Request was being sent over HTTP but transversing a Squid cache. The problem was a combination of an OpenSSL's "known issue" (use the "host+path" parameters instead of the "url" parameter when performing an OCSP Request) with the Squid ability to cache certain types of HTTP requests (in this case HTTP/1.0). Even though RFC2560 mentions the following: "The reliance of HTTP caching in some deployment scenarios may result in unexpected results if intermediate servers are incorrectly configured or are known to possess cache management faults. Implementors are advised to take the reliability of HTTP cache mechanisms into account when deploying OCSP over HTTP." Maybe we should add to the "OCSP Requirements for Grids" document this note, so potential deployments disable OCSP over HTTP caching in intermediate servers. What do you think about it? More info about the OpenSSL issue mentioned above can be found in the openssl-users mailinglist under the folloing link: http://marc.theaimsgroup.com/?l=openssl-users&m=111091034704961&w=2 Best regards, Jesus & Oscar