[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP and LDAP

To: "Massimiliano Pala" <madwolf@xxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: OCSP and LDAP
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxx>
Date: Sat, 4 Jan 2003 14:54:52 -0800
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Hi Massimiliano,
    You should seriously consider having your responder work off a
CA's CRL, rather than trying to access its database directly.
There are a set of reasons why this is a good idea. Here are are
few (in no particular order):

- CA independence (might not be important for you)
- Helps auditability of the VA
- Allows better control over replication (where you don't need
	to rely on LDAP replication - most CAs won't want to
	replicate the rest of their LDAP data)
- Better performance - can keep the revocation data in memory and
	respond from memory - won't need to also have a LDAP lookup


Hope this helps,
Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani                                         650.759.9045
Malpani Consulting Services                      ambarish@xxxxxxxxxxx
http://www.malpani.biz



> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Massimiliano Pala
> Sent: Saturday, January 04, 2003 9:24 AM
> To: ietf-pkix@xxxxxxx
> Subject: OCSP and LDAP
> 
> 
> Hi all,
> 
> it might be an old question but If you can not answer me I really 
> don't know
> where to look... Here it is.
> 
> We are trying to rebuild our OCSPd backend and one of the 
> possibilities was
> to use the LDAP server to store (besides the issued certificates) 
> informations
> needed to the OCSPd to build the responses (i.e. at least the 
> status of the
> certificates).
> 
> Are there RFCs/raccomandations that will help us in using a good schema
> for storing this kind of informations and in not making big mistakes ?
> 
> Thank to you all for all the work you are doing.
> 
> -- 
> 
> C'you on the bit stream,
> 
> 	Massimiliano Pala
> 
> --o---------------------------------------------------------------
> ----------
> Massimiliano Pala [OpenCA Project Manager]                
> madwolf@xxxxxxxxxx
>                                                   Tel.:   +39 
> (0)59  270  094
> http://www.openca.org                            Fax:    +39   
> 178  221 8225
> http://openca.sourceforge.net                    Mobile: +39 
> (0)347 7222 365
>

Follow-Ups:
- Re: OCSP and LDAP
  - From: Massimiliano Pala

References:
- OCSP and LDAP
  - From: Massimiliano Pala

Prev by Date: RE: OCSP and LDAP
Next by Date: RE: OCSP and LDAP
Previous by thread: RE: OCSP and LDAP
Next by thread: Re: OCSP and LDAP
Index(es):
- Date
- Thread