On Wednesday, 06/19/2019 at 12:01 GMT, "van Sleeuwen, Berry" <[email protected]> wrote:
> My first question is what to do with OCSP? Do I really need ocsp for my > purpose? I have found some mixed views on that. Some browsers have dropped CRL > support but otoh chrome doesn’t use ocsp. So instead of investigating the > issues with ocsp should I just drop it and do without ocsp? OCSP is replacing CRLs. If you're going to be a CA, *be* a CA. If you're just playing around, then no worries. > And secondly, if I should setup ocsp, what might be the catch that prevents me > from a successful validation? Your oscp responder service not being available 24x7. For now, the policies dealing with the lack of ocsp and/or crl tend toward "assume it's ok". Kinda loosey goosey. I don't know for how much longer, though. But it will depend on what the client side is willing to tolerate. Alan Altmark Senior Managing z/VM and Linux Consultant IBM Systems Lab Services IBM Z Delivery Practice ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
