A starter page only.  Fill it out!

== Intro ==
This Procedure is for sysadms running responders.  See [[OcspResponder]] for user information.

=== Authority ===
It is created by [[SecurityManual]] under authority of [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#1.4.3|Security Policy]].

== Operator ==

System Administration team leader may delegate operation of a responder to a Member under SP/SM.  This present document is the contract under which this responder is operated.

== Running the Responder ==

=== Logging & Privacy ===

Data that identifies an individual (certificate) is not to be logged.  If an exception to this is required, e.g., for debugging, it must be filed to Arbitration and done under that oversite.

=== Certificate ===

The OCSP responder requires a special certificate which is ''WHAT'' and produced ''HOW?''

=== Other stuff ===

''surely lots... like''

 * software to use
 * OS/platform requirements
 * relationship to CRLs, downloading, frequency
 * URL types.

== Correctness ==

''How do we ensure the correctness of a responder's replies, especially where outsourced?''
Given that we need to sign each reply of the responder with a special certificate key,
it is probably not wise to consider outsourcing OCSP responder service at this time.
We may still want to run multiple OCSP responders though, but under full CAcert control
(to protect leakage of the signing key). Correctness is not an issue in that case,
simply retrieve the crls with sufficient frequency.

== Current Responders ==

=== Responder #1 ===

It is running on ocsp.cacert.org, which is a virtual server sitting on a server in the CAcert rack in Ede.

Operator:  unknown!  Status:  inhouse, not outsourced.


----
CategoryProcedures