Russ Housley <hous...@vigilsec.com> wrote: >>> The second is, I think, that the EAP server (Authentication Server), would run >>> an OCSP responder locally so that it can mint it's own staples. >>> AFAIK, each certificate can point to a different OCSP signer. >> >> Does anyone actually do that?
> I am aware of some places that generate an OCSP response for the entire > population of certificates, and those responsed are distributed to many > locations. I am not aware of anyone that distributes the OCSP > responder signature private key to multiple locations. Does anyone put different OCSP signers into different certificates? I.e. shard the work? I think that splitting the OCSP reponses to many locations might solve the industrial situation well. I think that there is also some significant space to tune the validity periods. But, I agree with Eliot: the OCSP responder is new. It seems that maybe SHOULD would appropriate on OCSP. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu