> > [...OCSP...]
> > > directly on the PKI's database. So I know no way how
> these two systems
> > > could cooperate because every OCSP-responder access directly a
> > > proprietary database.
> >
> > Them could talk to an LDAP directory server as a backend
> database. I don't
> > know if there is an rfc (or if some rfcs) is currently
> covering the issue.
>
> The idea of OCSP is to get the most actual information which is
> available. This means if a certificate got the status "suspended" at
> 14.31 o'clock then a question for the validity of the certificate must
> be responded from 14.32 o'clock on with "suspended" or "not valid".
>
> Another database between the PKI's database and the
> OCSP-responder is a
> very big problem because no transaction of the PKI's database could be
> committed until the LDAP was updated.
As of UniCERT they do not use any database between PKI and OCSP responder.
They use a kind of "Push" technology and I believe that information is
updated the same way (or may be the same protocol) as LDAP.
There is some information on OCSP in this file from ValiCert
http://www.valicert.com//corporate/library/pdfs/validation_authority_ds.pdf
"ValiCert VA Publisher": Obtains revocation
data from a certificate authority (CA), or a directory
server supporting LDAP, and transports it to
a ValiCert VA.
I have got a response from Mike Myers which might be interesting too:
Vladas,
A CA may store it's OCSP validation information in any means it finds most
suitable; the means are beyond the scope of the protocol specification.
LDAP may be useful to some environments. Also, some CAs may choose to
periodically publish CRLs for this purpose. I think that's a waste of
resources--to publish a CRL only to decompose it back into another signed
object. A more effective approach is to take full advantage of the
scalability and distributability inherent in today's leading database
management solutions, subject of course to pragmatic system level
requirements for authenticity and integrity.
Hope this helps. Sorry I couldn't be more definitive on this point, but the
backend of an OCSP is out of scope of the specification. Please feel free
to contact me for further discussions. By the way, my architecture for OCSP
was to some extent informed by and coordinated with certain Indentrus
principals.
Mike
Kind regards,
Vladas.
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-devel
