On Tue, Feb 26, 2008 at 1:57 PM, Joe Orton <[EMAIL PROTECTED]> wrote: > Right, that is exactly my view. I think that any attempt to make > mod_ssl treat CRLs as anything other than static files loaded once at > startup will end up trying to reinvent OCSP badly. > > If a free OCSP responder existed which actually did this maybe those > "make CRL handling better" bug reports would go away :)
FWIW I have experimented with this recently and found ocspd from openca.org was able to frontend a CRL-as-static-file satisfactorily (albeit for a different security library and SSL application). It seems to be BSD-like and gratis. Unfortunately I stopped short of trying to frontend a CRL-over-LDAP, but it does purport to do this as part of its core functionality. https://www.openca.org/projects/ocspd/downloads.shtml -- Eric Covener [EMAIL PROTECTED]
