Michael: >> I am aware of some places that generate an OCSP response for the entire >> population of certificates, and those responsed are distributed to many >> locations. I am not aware of anyone that distributes the OCSP >> responder signature private key to multiple locations. > > Does anyone put different OCSP signers into different certificates? > I.e. shard the work?
This could be done by including different AIA certificate extensions, but I am not aware of anyone that does so. > I think that splitting the OCSP reponses to many locations might solve the > industrial situation well. One could put multiple id-ad-ocsp entries in the AuthorityInfoAccess extension, but this could lead to a relying party trying each one in turn, resulting in a long timeout interval. Russ _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu