Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- Subject: Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- From: Shawn A.Geddis <email@hidden>
- Date: Wed, 29 Aug 2007 16:01:55 -0400
On Aug 28, 2007, at 11:13 PM, Timothy J. Miller wrote:
On Aug 28, 2007, at 4:14 PM, Shawn A. Geddis wrote:
(Side Note: To the best of my knowledge, all DoD CAC are still be
issued Certs with URIs for CRL Distribution Points rather than URIs
for OCSP (AIA Extensions)).
Bzzt, incorrect, but thank you for playing. :)
We've been using OCSP pointers in AIA for a while now. In a couple
more years, all non-OCSP certs will have expired and be out of
circulation for good.
Extra Credit goes to Tim and the Air Force !! :-) Glad to hear it
and I hope the others quickly follow your lead.
An additional problem here is that Apple's ocspd doesn't work with
the DoD OCSP trust model. DoD uses the delegated trust model, where
the OCSP responder has it's own self-signed cert. Most OCSP
deployments use the CA trust (CA answers OCSP itself) or CA
delegated trust (CA issues a cert to an OCSP responder) models.
I've logged a bug on this, but usually I never hear anything until a
patch is issued. (nudge nudge, Shawn ;)
Noted as a duplicate.
The DoD OCSP trust model *will* be changing to CA delegated some
time in the next year, IIRC, but I don't know exactly when.
Noted. Please provide any reference to direction or timeline on this.
Since the DoD CRL Distribution Points can be more than overloaded,
Several sites within DoD began installing OCSP Validators (Server-
side service) to handle OCSP requests --- much less overhead than
the CRL method.
The DoD OCSP service is globally distributed and load balanced
through the AIA OCSP URL you'll find in recent end-entity
certificates: http://ocsp.disa.mil
Again, you receive extra credit!
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden