Russ Housley <hous...@vigilsec.com> wrote:
>>> The second is, I think, that the EAP server (Authentication Server),
would run
>>> an OCSP responder locally so that it can mint it's own staples.
>>> AFAIK, each certificate can point to a different OCSP signer.
>>
>> Does anyone actually do that?
> I am aware of some places that generate an OCSP response for the entire
> population of certificates, and those responsed are distributed to many
> locations. I am not aware of anyone that distributes the OCSP
> responder signature private key to multiple locations.
Does anyone put different OCSP signers into different certificates?
I.e. shard the work?
I think that splitting the OCSP reponses to many locations might solve the
industrial situation well.
I think that there is also some significant space to tune the validity
periods.
But, I agree with Eliot: the OCSP responder is new.
It seems that maybe SHOULD would appropriate on OCSP.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
