Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- Subject: Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- From: Paul Nelson <email@hidden>
- Date: Wed, 29 Aug 2007 09:25:03 -0500
- Thread-topic: [Fed-Talk] Memory usage spikes when viewing Signed Emails
on 8/28/07 10:13 PM, Timothy J. Miller at email@hidden wrote:
> An additional problem here is that Apple's ocspd doesn't work with
> the DoD OCSP trust model. DoD uses the delegated trust model, where
> the OCSP responder has it's own self-signed cert. Most OCSP
> deployments use the CA trust (CA answers OCSP itself) or CA delegated
> trust (CA issues a cert to an OCSP responder) models.
Apple's doesn't work with this model, but even worse, there is no way to
change the trust model for Apple apps like Mail or Safari in the field. If
Apple won't do delegated OCSP, then they should at least make provisions for
third parties. I've filed bug reports on this.
However, Apple does have the code to handle using a delegated OCSP
responder. ADmitMac for CAC uses this with it's own certificate status
checking and it works well, and is very fast compared to CRL. However, our
status checking can't be used by Safari, etc.
You will know that Apple has addressed this issue when the Keychain prefs
allow you to specify the url to an OCSP responder, and the certificate
needed to verify OCSP response signatures.
Paul Nelson
Thursby Software Systems, Inc.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden