> I need to test with a recent build, but while I have been since a long > time been able to successfully validate web site with OCSP, despite > often hitting bug 141256 (the lines Kai quoted when opening 141256 > were my analyse of this problem), I have never been able to validate > mail certificates with OCSP inside the Certificate Manager. > And the very same OCSP responder worked very well for web sites.
Good job on the recent nightlies, I could make OCSP work with them for mail messages. Tested on Windows 2000 with 2002070310 There is still two problems : - The key for the received mail is shown broken, but when I ask for details it says me wrongly that I do not trust tha CA used. Only if I choose the view the certificat do I get the correct information that the certificate is revoqued. - In the certificate manager, the Certificate Viewer shows me the status of certificate correctly, but my log show me that each opening of this windows results in 3 OCSP requests for a valid certificate, and 4 for a revoquated certificate. This is a lot too much, in deployment, the OCSP responder will be overloaded very fast because of that. Only the Certificate Viewer has this problem, when opening the mail, only one request is made. I think that for mail, the OCSP request result can be keeped in cache locally, because if at the time the message was received, OCSP responder told it it was valid, any future revocation of the key does not impair the validity of the mail that was received before that. With the current setting of checking everytime the message is opened, OCSP for mail means a lot of load for the OCSP responder. This said it's an excellent release. I had 4 opened problems, that I had not yet taken time to report (the main reason being I could not give you the necessary data to reproduce, I needed to find a way to reproduce with non confidential data - freely accessible web site), and I can no more reproduce with the latest 1.1a nightly. They were : - SSL access on a specific site that requires user authentification - Verifying some signed mail from Outlook - Decifering some encrypted mail from Outlook - This OCSP with email problem