A starter page only. Fill it out!


This Procedure is for sysadms running responders. See OcspResponder for user information.


It is created by SecurityManual under authority of Security Policy.


System Administration team leader may delegate operation of a responder to a Member under SP/SM. This present document is the contract under which this responder is operated.

Running the Responder

Logging & Privacy

Data that identifies an individual (certificate) is not to be logged. If an exception to this is required, e.g., for debugging, it must be filed to Arbitration and done under that oversite.


The OCSP responder requires a special certificate which is WHAT and produced HOW?

Other stuff

surely lots... like


How do we ensure the correctness of a responder's replies, especially where outsourced? Given that we need to sign each reply of the responder with a special certificate key, it is probably not wise to consider outsourcing OCSP responder service at this time. We may still want to run multiple OCSP responders though, but under full CAcert control (to protect leakage of the signing key). Correctness is not an issue in that case, simply retrieve the crls with sufficient frequency.

Current Responders

Responder #1

It is running on ocsp.cacert.org, which is a virtual server sitting on a server in the CAcert rack in Ede.

Operator: unknown! Status: inhouse, not outsourced.


SystemAdministration/Procedures/OcspResponder (last edited 2009-03-24 14:00:28 by SunTzuMelange)