On Tue, Jan 13, 2004, Aumont - Comite Reseaux des Universites wrote: > Hi > > The current version of "openssl ocsp" is based on stuff/index.txt so I > am affraid that the OCSP server must run on the same server as the > certificat authority, but in our case the CA server is running offline > (nearly offline) for security reason. > Another solution is to export the index.txt on a dedicated OCSP server, > but how to protect this file (integrity issu) in a way that the OCSP > responder can sign answers ? Why do OCSP use index.txt as data backend > ? Why not use a valid CRL for that usage ? >
Because, as the manual states, the ocsp mini-responder is not a full production server it is only intended to be used for test purposes. It can't actually respond to more than one request at once. It is possible to get improved performance by using a normal web servers as a front end to it: though it still wont be very efficient. If there was enough interest I could write a higher performance OCSP responder based on the OpenSSL OCSP code. CRLs also have a problem determining which serial numbers are valid. OCSP requires a valid/revoked/unknown response where one reason for "unknown" is that an invalid serial number has been given. Since CRLs only list revoked certificates there's no way to tell the difference between the valid/unkown case. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
