Re: [OpenCA-Devel] OCSPD and DB Backends...

Tue, 22 Oct 2002 08:06:46 -0700 

Michael Bell wrote:

alexandru matei wrote:

[...]

This can ease certificates sincronization between RA and CA.
I think too that the second alternative is the better one. The reason is simply performance and portability. An OCSPD must answer many requests in big organizations and an additional index.txt is the fastest solution.
Well, there is another point to consider. If all the index.txt is to
be kept in memory and, let's say, the organization has a 500,000 certificates
db, then reloading it could be heavy. Actually the fork() command is
used for spawning sub processes but this could be unpracticable in such
a situation as all the data will be duplicated and memory usage will
be unacceptable.

Another solution could be the adoption of another approach.

If we load all the CRLs into the OCSPD memory than we know if a certificate
is revoked and if it is not (and the certificate with the serial present
into the dB has been issued) the OCSPD could return a "valid" response.

Also we could think of having a CRL issued using the OCSPD's certificate
used to keep track of suspended certificates as well. The couple of
CRLs and this list will do the trick without having to access the whole
certificates' db.
The import/export-problem is not solved by this index.txt because this 
[...]

the component which updates this index.txt.

I guess that to update the dbms a solution could be:

	1. Updating the OCSPD db when a new CRL is imported
	2. Updating the OCSPD db when a new CRR request is received
	3. Updating the OCSPD db when a CRR is rejected/deleted
	4. Updating the OCSPD db when a new CERTIFICATE is imported

On every update a reload of the db is required (I have to check for memory
leakage... it's on the todo list... :-* ).


I think that the index.txt should have the format of OpenSSL, right Max?

Right now I use the function from OpenSSL to load and lookup the db so
the file format is the same.

--

C'you,

	Massimiliano Pala

--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                [EMAIL PROTECTED]
                                                     [EMAIL PROTECTED]
http://www.openca.org                            Tel.:   +39 (0)59  270  094
http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to