|
The Online Certificate Status Protocol (OCSP) provides a means for real-time verification of certificate validity, to determine if a certificate has been compromised and revoked by a Cerificate Authority (CA). MyProxy can be configured to check the OCSP status of certificates stored in its repository, so that revoked credentials are deleted and can not be retrieved. The myproxy-server uses two methods to locate OCSP responders for checking the validity of a certificate. One method is to use the URL in the AuthorityInfoAccess extension of the certificate to be checked. This extension is set by CAs that provide OCSP responders for their certificates. The other method is to use a locally trusted OCSP responder that can potentially provide status information on certificates for many different CAs. Locally trusted responders can be provided by organizations to implement local policies and/or provide improved performance over remote responders. Three myproxy-server.config parameters control OCSP checking. The ocsp_policy parameter controls whether the AuthorityInfoAccess extension URL should be used and whether it should take precedence over any locally trusted OCSP responders. The ocsp_responder_url parameter indicates that a locally trusted OCSP responder should be used, and the ocsp_responder_cert specifies the path to the certificate to be used to authenticate the locally trusted OCSP responder. The myproxy-admin-query command can be used to check the validity of credentials in the MyProxy repository. An example cron script that uses myproxy-admin-query is provided in $GLOBUS_LOCATION/share/myproxy/myproxy.cron for removing expired/revoked credentials from the MyProxy repository. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly before installing in (for example) /etc/cron.hourly. Additional information about OCSP is available:
Last modified
02/28/07. |