30 Jan
2006
30 Jan
'06
5:01 p.m.
On OCSP AIA's in end entity certs. We discussed the problem of small CA's standing up an OCSP responder & operating them on a 24x7 basis; this is one of the "cons" to the recommendation that CA's do this, and stamp their EE certs with their OCSP responder. But it is not necessary that the CA provide its own responder; it can delegate that right to another responder, as Olle/David Groep (apparently) suggest. So it is only necessary that a CA find an OCSP service with which it can establish that relationship; then it can include this responder URL in its certificates. Obviously, this must be a long-term relationship, because a change in responders or URL information will invalidate those end entity certificates.