Re: OCSP setup and responder settings, setup of CRLs (UNCLASSIFIED)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Oct 9, 2007, at 2:12 PM, Lippold, Aaron L CIV DISA PEO-GES wrote:

Two questions, first, which conf file holds the OCSP responder hostname that I want my cert to validate to and can I use more than one? Second,
has anyone setup CRLs yet and have some docs on it? I need to add that
to the OSSG / PKI docs for the linux setup stuff.

I don't think that's supported in NSS at the moment. IIRC, NSS requires the OCSP URI in the AIA field. Bob can say for certain.

I *think* I still have an open bug @ Mozilla on it, but it's been a while since I checked.

Also note that I believe that proxy support for OCSP is still missing in NSS. This is fixed in Firefox & Thunderbird, but only because both of these applications (which embed NSS) have their own URL handler, and the quick fix was to allow an embedding application to register a URL handler callback. This won't work with pam_pkcs11 since it doesn't have a URL handler to register.

-- Tim

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Coolkey-devel mailing list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux