The current version of "openssl ocsp" is based on stuff/index.txt so I am affraid that the OCSP server must run on the same server as the certificat authority, but in our case the CA server is running offline (nearly offline) for security reason.
Another solution is to export the index.txt on a dedicated OCSP server, but how to protect this file (integrity issu) in a way that the OCSP responder can sign answers ? Why do OCSP use index.txt as data backend ? Why not use a valid CRL for that usage ?
Any coment is welcome.
Regards Serge Aumont
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
