Tauth

Appearance

CRL & OCSP

Tauth provides standard certificate revocation infrastructure so that C2PA validators and TLS clients can check whether a certificate has been revoked.

CRL (Certificate Revocation Lists)

CRLs are DER-encoded binary files generated by pki/generate_crl.py and served statically by nginx.

Generate CRLs

bash
cd /home/ubuntu/p
source env/bin/activate
python pki/generate_crl.py

Output:

Signing leaf.crl with Sub-CA key...
  wrote /var/www/crl/leaf.crl (NNN bytes)
Signing sub-ca.crl with Root CA key...
  wrote /var/www/crl/sub-ca.crl (NNN bytes)
Done.

Schedule automatic regeneration

CRLs have a nextUpdate of 7 days. Add a cron job to regenerate weekly:

bash
crontab -e
cron
0 3 * * 1  /home/ubuntu/env/bin/python /home/ubuntu/p/pki/generate_crl.py >> /var/log/tauth-crl.log 2>&1

Nginx config

nginx
server {
    listen 80;
    server_name crl.tauth.io;

    location / {
        root /var/www/crl;
        default_type application/pkix-crl;
        add_header Cache-Control "public, max-age=3600";
    }
}

Test

bash
curl -I http://crl.tauth.io/leaf.crl
# Content-Type: application/pkix-crl

openssl crl -in <(curl -s http://crl.tauth.io/leaf.crl) -inform DER -text -noout

OCSP Responder

The OCSP responder is a FastAPI application (ocsp/responder.py) running on port 8080.

Start the service

bash
sudo systemctl start tauth-ocsp
sudo systemctl status tauth-ocsp

Nginx proxy config

nginx
server {
    listen 80;
    server_name ocsp.tauth.io;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_read_timeout 10s;
        proxy_request_buffering off;
    }
}

Health check

bash
curl http://ocsp.tauth.io/health
# {"status":"ok"}

Test with OpenSSL

bash
openssl ocsp \
  -issuer /home/ubuntu/p/pki/tauth-sub-ca.pem \
  -cert /path/to/leaf.pem \
  -url http://ocsp.tauth.io \
  -resp_text

How the responder works

  1. Receives a DER-encoded OCSP request via POST /.
  2. Identifies the issuer by comparing issuerKeyHash against known CA public keys.
  3. Currently returns GOOD for all unrecognised serials (no revocation database yet).
  4. Signs the response with the issuer's Azure KV key (ES384).
  5. Returns the DER-encoded OCSP response with Content-Type: application/ocsp-response.

TIP

To implement actual revocation, add a revoked_serials table to PostgreSQL and query it in responder.py before building the OCSP response.

Built on C2PA · Secured by Azure Key Vault · Anchored on Ethereum

© 2026 Tauth