Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- Subject: Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- From: "Timothy J. Miller" <email@hidden>
- Date: Tue, 28 Aug 2007 20:13:34 -0700
On Aug 28, 2007, at 4:14 PM, Shawn A. Geddis wrote:
(Side Note: To the best of my knowledge, all DoD CAC are still be
issued Certs with URIs for CRL Distribution Points rather than URIs
for OCSP (AIA Extensions)).
Bzzt, incorrect, but thank you for playing. :)
We've been using OCSP pointers in AIA for a while now. In a couple
more years, all non-OCSP certs will have expired and be out of
circulation for good.
An additional problem here is that Apple's ocspd doesn't work with
the DoD OCSP trust model. DoD uses the delegated trust model, where
the OCSP responder has it's own self-signed cert. Most OCSP
deployments use the CA trust (CA answers OCSP itself) or CA delegated
trust (CA issues a cert to an OCSP responder) models.
I've logged a bug on this, but usually I never hear anything until a
patch is issued. (nudge nudge, Shawn ;)
The DoD OCSP trust model *will* be changing to CA delegated some time
in the next year, IIRC, but I don't know exactly when.
Since the DoD CRL Distribution Points can be more than overloaded,
Several sites within DoD began installing OCSP Validators (Server-
side service) to handle OCSP requests --- much less overhead than
the CRL method.
The DoD OCSP service is globally distributed and load balanced
through the AIA OCSP URL you'll find in recent end-entity
certificates: http://ocsp.disa.mil
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden