[caops-wg] OCSP & Proxy Certs

[Mike Helm]

"Cowles, Robert D." writes:
> Following up on discussions at the EUgridPMA and post-meeting
> discussiions, I'm really nervous about the fragility of a 
> network of OCSP responders.... that's just for the CA's and 
> doesn't really address the issue that Mike raises of how we set 

I think I have mentioned this here, but certainly at SLCCC and OSG
consortium, that some deployment scenarios for OCSP may not improve
the situation we have now.  They would replace
an individual relationship with a CA and a local CRL file that had to be
updated, with
an individual relationship with a CA, and a (usually) networked-based
URL that would have to be checked.

On the face of it that might be worse, since network overhead
and partitioning might cause problems; but the devil is in the
details.

To me this suggests you wind up with both: OCSP for more real-time
and caching data, CRLs for backup.  However, we have argued out this
scenario and counters to it, and a lot of that has dropped out of the 
paper as a result.  But see sections 4.2 and figure 1 in section 7.

I think I can say we are recommending a site, and/or VO, clearinghouse
trusted responder; strongly enough?  But to build that we are probably going to have 
to start with something more general.  It seems to me the foundation
for this is getting CA's to each establish an OCSP responder,
provide some mechanism for registering proxy revocations, and stamping
their EE certs with the CA's responder URL.  Organizations can build
their own responders based on this info, instruct their clients
as they see fit, and identity providers who need to serve many 
different communities don't have to make exceptions for each.