Russ Housley <[email protected]> wrote: >>> The second is, I think, that the EAP server (Authentication Server), would run >>> an OCSP responder locally so that it can mint it's own staples. >>> AFAIK, each certificate can point to a different OCSP signer. >> >> Does anyone actually do that?
> I am aware of some places that generate an OCSP response for the entire
> population of certificates, and those responsed are distributed to many
> locations. I am not aware of anyone that distributes the OCSP
> responder signature private key to multiple locations.
Does anyone put different OCSP signers into different certificates?
I.e. shard the work?
I think that splitting the OCSP reponses to many locations might solve the
industrial situation well.
I think that there is also some significant space to tune the validity
periods.
But, I agree with Eliot: the OCSP responder is new.
It seems that maybe SHOULD would appropriate on OCSP.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
