[caops-wg] OCSP & Proxy Certs
Mike Helm
helm at fionn.es.net
Mon Jan 30 11:01:10 CST 2006
On OCSP AIA's in end entity certs.
We discussed the problem of small CA's standing up
an OCSP responder & operating them on a 24x7 basis;
this is one of the "cons" to the recommendation that
CA's do this, and stamp their EE certs with their
OCSP responder.
But it is not necessary that the CA provide its own
responder; it can delegate that right to another
responder, as Olle/David Groep (apparently) suggest.
So it is only necessary that a CA find an OCSP service
with which it can establish that relationship; then
it can include this responder URL in its certificates.
Obviously, this must be a long-term relationship, because
a change in responders or URL information will invalidate
those end entity certificates.
More information about the caops-wg
mailing list