On Tue, Mar 23, 2010, Eisenacher, Patrick wrote: > Hi Steve, > > > -----Original Message----- > > From: Dr. Stephen Henson > > > > There are two automatic trust models for OCSP responder > > certificates. One is the CA key that signed the > > certificate also signs responses: that isn't > > recommended for security reasons. > > can you please elaborate on this? >
Well it would typically require giving a public responder access to a CA key: increasing the risk of compromise especially if the private key itself is placed on the server. In the delegated model only a dedicate OCSP signing key is needed on the responder. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
