A starter page only. Fill it out!
Intro
This Procedure is for sysadms running responders. See OcspResponder for user information.
Authority
It is created by SecurityManual under authority of Security Policy.
Operator
System Administration team leader may delegate operation of a responder to a Member under SP/SM. This present document is the contract under which this responder is operated.
Running the Responder
Logging & Privacy
Data that identifies an individual (certificate) is not to be logged. If an exception to this is required, e.g., for debugging, it must be filed to Arbitration and done under that oversite.
Certificate
The OCSP responder requires a special certificate which is WHAT and produced HOW?
Other stuff
surely lots... like
- software to use
- OS/platform requirements
- relationship to CRLs, downloading, frequency
- URL types.
Correctness
How do we ensure the correctness of a responder's replies, especially where outsourced? Given that we need to sign each reply of the responder with a special certificate key, it is probably not wise to consider outsourcing OCSP responder service at this time. We may still want to run multiple OCSP responders though, but under full CAcert control (to protect leakage of the signing key). Correctness is not an issue in that case, simply retrieve the crls with sufficient frequency.
Current Responders
Responder #1
It is running on ocsp.cacert.org, which is a virtual server sitting on a server in the CAcert rack in Ede.
Operator: unknown! Status: inhouse, not outsourced.