[caops-wg] OCSP APIs for MyProxy and GT4 - Requirements document?
Jim Basney
jbasney at ncsa.uiuc.edu
Tue Oct 24 12:33:29 CDT 2006
Mike Helm <helm at fionn.es.net> wrote:
> Jim Basney writes:
> > > > > what's the general capability of the myproxy ocsp client, or its
> > > > > intended application &c? thanks, ==mwh
> > > >
> > > > In an upcoming MyProxy release, it will be possible to configure the
> > > > myproxy-server to check certificate status via OCSP for stored
> > > > credentials before delegating a proxy certificate from those
> > > > credentials.
>
> How does it, or how do you see it choosing, between
> a configured OCSP responder (a default responder?),
> AIA extensions in EE certs, or local CRL files?
The "OCSP Requirements for Grids" document says:
relying parties MUST be capable of handling both CRLs and OCSP, and it
MUST be a configurable option which source of revocation to prefer and
which to use as a backup, on a per-issuer basis.
and:
Local configuration MUST have precedence over any service locator
information located in the certificate's AIA extension. A default
responder for all other issuers SHOULD be configurable as well.
I find the configuration requirements in the document to be quite
complex, and I suspect MyProxy will not meet them fully any time soon.
MyProxy will implement the following to start:
- Always check CRLs if present.
- Allow configuration of a trusted local OCSP responder.
- Allow configuration of whether OCSP responders should be located via
AIA extensions.
- Allow configuration of whether the trusted local responder or AIA
responder should take precedence.
-Jim
More information about the caops-wg
mailing list