Massimiliano Pala schrieb:
>
> Michael Bell wrote:
>
> [...OCSP...]
> > directly on the PKI's database. So I know no way how these two systems
> > could cooperate because every OCSP-responder access directly a
> > proprietary database.
>
> Them could talk to an LDAP directory server as a backend database. I don't
> know if there is an rfc (or if some rfcs) is currently covering the issue.
The idea of OCSP is to get the most actual information which is
available. This means if a certificate got the status "suspended" at
14.31 o'clock then a question for the validity of the certificate must
be responded from 14.32 o'clock on with "suspended" or "not valid".
Another database between the PKI's database and the OCSP-responder is a
very big problem because no transaction of the PKI's database could be
committed until the LDAP was updated.
Regards Michael
----------------------------------------------------------------------------
Michael Bell Email: [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6 Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany [OpenCA Core
Developer]
http://openca.sourceforge.net
Kryptographische Unterschrift mit S/MIME
