[caops-wg] OCSP & Proxy Certs

[Cowles, Robert D.]

> Conclusions:
> We should recommend CA operators include an AIA URL for OCSP, and
> stand up a server.  
> Since not every CA can do this, we should recommend some agency
> (IGTF? commercial?) stand up clearinghouse OCSP responders which
> can become well-known & trusted resources
> A protocol for permitting authenticated updates (registering of 
> revoked proxy certs) may need to be developed
> OCSP client software must ignore "unknown" responses about proxy
> certs - no info is no info in this case.
> 

Following up on discussions at the EUgridPMA and post-meeting
discussiions, I'm really nervous about the fragility of a 
network of OCSP responders.... that's just for the CA's and 
doesn't really address the issue that Mike raises of how we set 
up a network of responders that will do what we want with
proxy certificates.

For what it's worth, there seem to be a number of wireless 
providers in airports, etc. that I'm seeing recently who
are supplying OCSP information that Firefox chokes on and
so it won't allow me connect to the site.  Being a typical
user, I don't give  damn about the PKI infrastructure, I 
just wantto chckmy email and I don't want have to spend an
even longer time screwing around ... as a result, I now 
use IE to connect to wireless systems for payment, registration
etc.  Also, IE doesn't seem to cache the DNS and so as I
move from airport to airport, it is more likely to do the 
redirection to the new registration page in a timely fashion
than Firefox. (I suspect that the same issue is involved in the 
OCSP error code I receive, but I haven't bothered to look it
up.

BC