[caops-wg] Issue with OCSP through HTTP caches
jluna at ac.upc.edu
jluna at ac.upc.edu
Mon Apr 24 02:39:03 CDT 2006
Mensaje citado por Mike Helm <helm at fionn.es.net>:
>
> Is the recommendation one to the authors of OCSP client-side
> software or to proxy administrators?
>
I think that this should be addressed to OCSP architects in charge of
deploying/planning the Grid-OCSP Responders ("please disable OCSP-service
caching at HTTP-caches").
However this recommendation also could be useful for developers trying to figure
out potential problems with their clients (the HTTP cache responding instead of
the OCSP Responder).
> It seems natural to take advantage of http proxies -- especially in those
> unfortunate circumstances where you have no other choice!
> Unless it's hopeless, but I don't see that from the example
> cited or from the RFC, but I definitely don't understand
> all the potential problems.
>
HTTP Proxying is useful, but the problem may arise from HTTP-caches were a
misconfigured server may begin responding OCSP Requests instead of sending them
to the OCSP Responder. I think that this is likely to happen when OCP Requests
are being send over HTTP/1.0 (i.e. OpenSSL clients?).
Regards,
Jesus
More information about the caops-wg
mailing list