Hi Max, > Hi Sebastian, > > If you do not hear from me by the end of the week, please send me an > email, I might have forgotten to send you the software. Ok.
> For the revocation status checking.. I have to say that, because of > the difficulties to find timely revocation information, many applications > just allow bad responses (or no responses) from OCSP/CRLs repository. > So, I would say, the situation is definitely worse than you picture. > > The situation is better if you are not dealing with Internet-scale > infrastructures (eg., company pkis or organization-specific applications). Fortunately, I only have to deal with a closed organisation-wide PKI setup at the moment. Historically and by design (multiple CA branches), there are several CAs involved, but revocation information is (more or less ;^) completely under my control. Compared to global scale infrastructures, things are still relatively simple and well defined here. > I am working at an idea that should allow for better interoperability > among PKIs in the Internet. The idea is based on deploying an internet > service for public key systems. Talking with people at IETF, there is > consensus on the project.. Unfortunately I have not found the funding > to work on it, yet. > > As I am used to say, we use PKIs as if we would try to surf the web > without an internet-wide DNS. It may work for small, closed environments.. > but it would not work in an open environment... I think we shall really > work on the "Public Key System" as the time is right - we rely on PKIs > more and more.. and we start deploying PK-based services like DNSSEC > without the appropriate support.. Wouldn't it be enough, if every CA would publish valid CRL and OCSP server information in their certificates, given the servers constantly provide timely revocation information? > .. but we need research funding to go on on the project... do you know > anybody with plenty of money to spare for the sake of us all ??? :D Sorry, but the company I work for is probably too small to spend a lot of money for such a project and not involved at all in the internet scale PKI market to probably even be interested. > > Cheers, > Max Cheers, seBASStian > > > > On 04/11/2010 01:43 PM, Basscontrol wrote: >> Hi Max, >> >> I'd be happy to test the new version in my environment. Hopefully, it >> works well - then I can continue using OCSP and you can release the code >> to the public. >> BTW.: Are there really so few people using OCSP for checking revocation >> status? And if so - does the whole world still rely on CRLs or even >> worse? > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > Openca-Users mailing list > Openca-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
