[caops-wg] The Open GRid Ocsp -OGRO- client has been launched!

[Oscar Manso]

Thanks a million for your warning Milan!
On the new installation of the service we forgot to configure Apache in
order to stop this problem from happening.
Sorry for that.
We have arranged this problem and also another one involving the https
configuration... Although for the moment we are only using a single
certificate for all the virtual hosts...
In any case, now you shoudln't have problems by accessing the service using
OpenSSL.
On the other hand, I would like to remind you that we can set the responder
on Authorized mode for any CA interested.
You just need to get in touch with us and we'll send you our PKCS request so
that you can generate the corresponding OCSP Response certificate.
In this respect, during the last meeting Milan was worried about the problem
involved in revoking one of those certificates given the fact that they all
share the same private key.
After discussing it a little with my colleagues, we do not see so much of a
problem considering the fact that, in the end of the day, even though all
the certificates share the same key, they are all different because each of
them has been signed by each CA. Therefore, we consider that it is up to
each CA to revoke such certificate whenever they feel that it is unsafe.
Of course, in case of compromising the private key, CertiVeR would inmediate
notify to all its partners such fact so that they can publish the
corresponding CRL. 
The only problem with such method is that the client process (such as the
one implemented by OGRO) should validate the status of the corresponding
OCSP Signing certificate against the corresponding CRLs... which involves
problems of efficiency on the client side... there is no silver bullet here.
Any other suggestions?
Enjoy your meeting! And well, hopefully see you next time!


Oscar

> -----Mensaje original-----
> De: owner-caops-wg at ggf.org [mailto:owner-caops-wg at ggf.org] En 
> nombre de Milan Sova
> Enviado el: sábado, 01 de octubre de 2005 14:32
> Para: Jesus Luna
> CC: caops-wg at ggf.org; Oscar Manso; Manel Medina
> Asunto: Re: [caops-wg] The Open GRid Ocsp -OGRO- client has 
> been launched!
> 
> 	Hi Jesus.
> Jesus Luna wrote:
> > Dear all,
> > We really sorry for not being able to attend the next GGF 
> meeting, but
> 
> 	Sorry for that...
> 
> > on the other hand a couple of weeks ago we hosted here in Barcelona 
> > TERENA's TF-EMC2 meeting (presentations can be found in
> > 
> http://www.terena.nl/tech/task-forces/tf-emc2/meetings/sep05/agenda.ht
> > ml) and we had the opportunity to introduce CertiVeR's OCSP 
> validation 
> > infrastructure for Grids. Such system is composed of two elements:
> > 
> > -In first place an OCSP Service which is currently configured as a 
> > Trusted/Authorized Responder for several Grid PKIs. As mentioned in 
> > TERENA's meeting, at this moment such service is being tested (Pilot
> > Phase) and offered free of charge for those CAs whishing to use it. 
> > The list of CAs being served will grow in the next days, so 
> please let 
> > us know your comments or questions about it. More information about 
> > the service can be obtained from:
> >                     http://globus-grid.certiver.com/info/
> > 
> 	Good job. Thank you.
> 
> 	Just one small request: It seems that the HTTP server 
> at (tacar|globus-grid).certiver.com cannot handle OCSP 
> requests via HTTP/1.0 (no Host: header in the HTTP request). 
> Unfortunately it severely limits usage of OpenSSL 
> command-line ocsp client (which I usually use for testing) - 
> it gets "400 Not Found" reponse to ent request.
> 	Could it be possible to reconfigure the HTTP server so 
> that it would dispatch the requests based on some other 
> criteria than the virtual host name? Maybe something like 
> http://www.certiver.com/tacar-ocsp/ and 
> http://www.certiver.com/grid-ocsp/ could do the job.
> 
> 	Thanks again.
> 
> 	Regards
> -- 
> 						Milan Sova
> 						sova at cesnet.cz
>