R: ocsp developing

Fri, 9 Apr 1999 03:27:38 -0400 

I need and ocsp responder that works with ldap directory INTERNAL because
the organization of Modena municipality, i'm working for them, put
certificate on ldap directory.
(on the intranet). In my context, the client is the server apache that need
to verify
the client certificate status during client auth, the responder is the
module that i'm creating for mod_ssl, or maybe it can be in open-ssl, i'm
thinking on it. But i think it's better mod_ssl
to perform different kind of access to the server, depending on the cert
status.
i.e. if th cert is suspended you can only access to a small part of
application on
server (as cgi-bin that alert you about the cert status).
Then i'd like to have also http ocsp for completing.
tell me what you think about it.

Thanks
-----Messaggio originale-----
Da: Marc Jadoul <[EMAIL PROTECTED]>
A: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Data: gioved� 8 aprile 1999 22.36
Oggetto: Re: ocsp developing


>Hi,
>
>I am also working on ocsp (not yet but soon;-). I do not well understand
>what the ldap is doing in this and what you mean exactly.
>
>You need 2 thing for ocsp:
>1/ A client that is oscp aware. That could be mod_ssl patched to be ocsp
>aware.
>2/ An ocsp server. That could be a cgi (or php script) able to create
>ocsp response and decode ocsp request. This could be easily done with
>openssl but has nothing to do with mod_ssl.
>
>As you seem to write the part 1 with mod_ssl as client, probably you
>will use http as transport protocol for ocsp too ? Why use ldap.
>
>For the part 2 you could use an internal ldap, (or even beter, a sql DB)
>(behind a firewall !!) but using a public ldap as main repository for
>certificate status seems ... not secure or at least less secure than
>ocsp could be. The data source for status should be 'trusted' and it is
>not the meaning of a public directory.
>
>It just my idea but of course you do what you want about it.
>
>Marc
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
>Official Support Mailing List               [EMAIL PROTECTED]
>Automated List Manager                       [EMAIL PROTECTED]
>

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to