On Tue, Jan 13, 2004 at 08:43:21AM +0100, Aumont - Comite Reseaux des Universites wrote: > Hi > > The current version of "openssl ocsp" is based on stuff/index.txt so I > am affraid that the OCSP server must run on the same server as the > certificat authority, but in our case the CA server is running offline > (nearly offline) for security reason.
The major task for an OCSP server is to deliver current status of certificates issued. > Another solution is to export the index.txt on a dedicated OCSP server, > but how to protect this file (integrity issu) in a way that the OCSP > responder can sign answers ? Why do OCSP use index.txt as data backend > ? Why not use a valid CRL for that usage ? There's a better chance to get a stale (not the current) status if/when running from CRLs issued some time ago. > Any coment is welcome. Beware marketing-driven wide-scale misunderstanding here regards, Vadim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
