Partitioned CRLs

Partitioned CRLs

am 21.10.2008 11:50:35 von Nuno Ponte

Hi,

We are running a CA that has thousands of revoked certificates,
which leads to CRLs of several MBytes.

On the next nenewal of the CA, we are thinking of partitioning the
CRLs at each X number of issued certificates. The issued certificates
will have different CRL Distribution Points (CDP) according to the
partitions they are assigned.

For example, for X=100, from certificate 1 to certificate 100, the
CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.

My question: Is mod_ssl/openssl prepared to support partitioned
CRLs like the way described? In particular, if CRLs are cached,
mod_ssl must be able to merge several different partitions according
to the CDP to create a unified view over the revocation universe of a
CA.

Regards,

Nuno Ponte
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Partitioned CRLs

am 21.10.2008 12:04:45 von Gilles Cuesta

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig209E30A5C457ABCF5839B281
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Nuno Ponte a =E9crit :
> Hi,
>
> We are running a CA that has thousands of revoked certificates,
> which leads to CRLs of several MBytes.
>
> On the next nenewal of the CA, we are thinking of partitioning the
> CRLs at each X number of issued certificates. The issued certificates
> will have different CRL Distribution Points (CDP) according to the
> partitions they are assigned.
>
> For example, for X=3D100, from certificate 1 to certificate 100, th=
e
> CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
> to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.
> =20
CDP is embedded when creating certificate, so it might be possible
(client side).

Server side, you can stack as many crl as you want into either a single
file, or a directory (using hashing) and point to it into Apache.
But you may apply a patch for multiple identical DN handling.
http://marc.info/?l=3Dapache-httpd-dev&m=3D120350484626015&q =3Dp3

Why didn't you implement OCSP into Apache ?
http://sitola.fi.muni.cz/%7Etauceti/?download=3Docsp_apache_ 2.2.patch (I
didn't test it anyway)

--=20
La Joconde ne sourit pas devant Chuck Norris.
Gilles CUESTA - Logiciels Libres
69139920



--------------enig209E30A5C457ABCF5839B281
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI/alB545quQSHen8RArdaAKC/atxsv5bQCcT/ApjxGAhQ79M3lQCg 1bRy
FpdtiJSkPaI707hlF0XRswg=
=4Y96
-----END PGP SIGNATURE-----

--------------enig209E30A5C457ABCF5839B281--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Partitioned CRLs

am 21.10.2008 17:32:22 von Nuno Ponte

Hi Gilles,

Thanks for your reply! :-)

The CA also offers OCSP, which is obviously the preferred way to
validate certificate status. I am just trying to make sure that there
is support from the "applications world" to such a CRL partitioning
scheme. Wide interoperability is a key goal.

Regards,

Nuno Ponte


On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles w=
rote:
> Nuno Ponte a =E9crit :
>> Hi,
>>
>> We are running a CA that has thousands of revoked certificates,
>> which leads to CRLs of several MBytes.
>>
>> On the next nenewal of the CA, we are thinking of partitioning the
>> CRLs at each X number of issued certificates. The issued certificates
>> will have different CRL Distribution Points (CDP) according to the
>> partitions they are assigned.
>>
>> For example, for X=3D100, from certificate 1 to certificate 100, the
>> CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
>> to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.
>>
> CDP is embedded when creating certificate, so it might be possible
> (client side).
>
> Server side, you can stack as many crl as you want into either a single
> file, or a directory (using hashing) and point to it into Apache.
> But you may apply a patch for multiple identical DN handling.
> http://marc.info/?l=3Dapache-httpd-dev&m=3D120350484626015&q =3Dp3
>
> Why didn't you implement OCSP into Apache ?
> http://sitola.fi.muni.cz/%7Etauceti/?download=3Docsp_apache_ 2.2.patch (I
> didn't test it anyway)
>
> --
> La Joconde ne sourit pas devant Chuck Norris.
> Gilles CUESTA - Logiciels Libres
> 69139920
>
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org