Re: ocspd (was: Re: [OpenCA-Devel] fs layout(s))

Fri, 02 Nov 2001 06:20:58 -0800 

Michael Bell wrote:

> Do you know the transportprotocol of OCSP (I read RFC 2560 and I think
> we could use http)? Must we create a daemon or could we use a server
> like apache? What is with the code from OpenSSL (openssl ocsp ...)?

Yes, I have worked on it some time ago, either the 2560 and the draft on
the OCSPv2. The transport protocol I suggest to use is HTTP for the simple
reason that Mozilla (and Netscape6) use that transport and it will be
most likely the protocol widely adopted. Other transport protocols, AFAIK,
are not currently used by common clients.

I have been thinking a bit on the OCSP responder structure. There are some
possibilities:

        o command line tool openssl ocsp + apache.
          Pro:
                o easy devel (a perl wrapper should be sufficient)
                o uses ocsp from openssl (no maintenance needed, mostly)
          Against:
                o openssl's ocsp command line do not support any dbms;
                o mixture of PERL/command line tool in a service that
                  could have high traffic;

        o stand alone daemon -> as the current OpenCA-OCSPD module
          Pro:
                o has daemon structure;
                o could be a faster responder;
                o do not depend on external software;
                o separate configuration files;
          Against:
                o has daemon structure (connection management, sec
                  issues, etc...);
                o needs a good HTTP parsing;
                o cannot share port 80 with another server (web)
                  on the same IP (from trials with the Netscape PSM,
                  some time ago, that was the only port the requests
                  were sent to, this is not the case of Mozilla)

        o Apache Module -> An apache module
          Pro:
                o little or no overhead for connection management;
                o no efforts for HTTP parsing;
                o can share the 80 port with apache services;
          Against:
                o difficulties in integrating support for dbms;
                o heavily depends on Apache;

These are only some aspects of the problem. Will someone take care of
listing all of them so as to evaluate the solution that fits best with
our needs ?

-- 

C'you,

        Massimiliano Pala

--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                  [EMAIL PROTECTED]
                                                          [EMAIL PROTECTED]
                                                     [EMAIL PROTECTED]
http://www.openca.org                            Tel.:   +39 (0)59  270  094
http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

S/MIME Cryptographic Signature

Reply via email to