Details on how to run a CRL?

Details on how to run a CRL?

am 05.06.2002 04:47:12 von Jason Haar

We are looking at using Client Certs via an internal CA as a cheap way of
strong authentication (SecurID costs are killing us!)

Obviously we'll have to introduce processes by which leaving staff have
their certs revoked, and have quick turnaround on revoking certs when a user
reports them lost (yeah, right... :-/)

Anyway, I can't think of a way of getting the server to check revocations
other than uploading the crl.pem hourly/daily from the CA to each SSL
server. This is possible, but I wondered if there is a better way of doing
it, or is that how this is meant to be done? I mean, that doesn't look like
it'd scale very well...

If that is true, can I imply from this that revocation checks basically
aren't done on the Internet today?


--
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Details on how to run a CRL?

am 05.06.2002 09:33:54 von Mads Toftum

On Wed, Jun 05, 2002 at 02:47:12PM +1200, Jason Haar wrote:
> We are looking at using Client Certs via an internal CA as a cheap way of
> strong authentication (SecurID costs are killing us!)
>
> Obviously we'll have to introduce processes by which leaving staff have
> their certs revoked, and have quick turnaround on revoking certs when a user
> reports them lost (yeah, right... :-/)
>
> Anyway, I can't think of a way of getting the server to check revocations
> other than uploading the crl.pem hourly/daily from the CA to each SSL
> server. This is possible, but I wondered if there is a better way of doing
> it, or is that how this is meant to be done? I mean, that doesn't look like
> it'd scale very well...

Depending on exactly how many certs you're expecting to expire, this should
still work fine for a couple of thousand users. I suppose you could even remove
certs from the crl once they've expired (since they will still be rejected).
As an alternative you could use http://authzldap.othello.ch/
>
> If that is true, can I imply from this that revocation checks basically
> aren't done on the Internet today?
>
No.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org