I do contracting work for a fortune 500 company. The size of the network is huge. PKI is not my area of expertise but I've been doing some eavesdropping and have some questions.
They have an offline root CA and a bunch of subordinate CAs located globally. They are using OSCP protocol to "check" the certificate.
Typically, are the subordinate CA's also talking OSCP to each other? Or is it that typically the OSCP servers are separate from the sub-CA?
Do the OSCP servers check against an Certificate revocation list or are those two separate products?