On 1/12/09, Thomas NOEL <thomas.n...@auf.org> wrote: > Hello, > > Alon Bar-Lev a écrit : > > > Thank you for the patch. > > I am more in favor of adding OCSP support into OpenVPN. > > It should be very easy using OpenSSL trunk. > > Also available at [1]. > > So if you can help perfecting this patch it would be a step in the > > right direction. > > [1] http://www.block64.net/ > > > I think it is not as flexible as the Mathieu's patch. > > For example, a certificate or a CA can provide it's own "Authority > Information Access" (via a x509 extension) with the URL of a prefered > OCSP server... Manage this kind of configuration inside OpenVPN is not > easy.
This is why I wrote "perfecting this patch" :) > The "--tls-export-cert" option (proposed by Mathieu) put the complexity > in a script, where you are only limited by your imagination : OCSP is an > example, but you can also think about OSCP with fallback, SCVP, > revocation with delta CRLs, check against a NSS database, etc. Think > about blacklists, too... > > We can not integrate all these cases directly in OpenVPN. An external > system (as for all others scripts in OpenVPN) provides an very efficient > solution. I think all the above can be implemented as logic into OCSP responder... OpenVPN needs a standard way to forward the certificate. Standard == OCSP If a simple script based OCSP is out there, then all you need is solved. > > Just my 2 cents.. Thanks! Alon.
