Mike Helm <helm@fionn.es.net> wrote:
Jim Basney writes:
what's the general capability of the myproxy ocsp client, or its intended application &c? thanks, ==mwh
In an upcoming MyProxy release, it will be possible to configure the myproxy-server to check certificate status via OCSP for stored credentials before delegating a proxy certificate from those credentials.
How does it, or how do you see it choosing, between a configured OCSP responder (a default responder?), AIA extensions in EE certs, or local CRL files?
The "OCSP Requirements for Grids" document says: relying parties MUST be capable of handling both CRLs and OCSP, and it MUST be a configurable option which source of revocation to prefer and which to use as a backup, on a per-issuer basis. and: Local configuration MUST have precedence over any service locator information located in the certificate's AIA extension. A default responder for all other issuers SHOULD be configurable as well. I find the configuration requirements in the document to be quite complex, and I suspect MyProxy will not meet them fully any time soon. MyProxy will implement the following to start: - Always check CRLs if present. - Allow configuration of a trusted local OCSP responder. - Allow configuration of whether OCSP responders should be located via AIA extensions. - Allow configuration of whether the trusted local responder or AIA responder should take precedence. -Jim