[Date Prev][Date Next] [Chronological] [Thread] [Top]


Sumanth Inabathini wrote:
> I am right now working on the implementation of the LDAP for IPSEC-IKE to
> retrieve CRLs from a CA.
> I have the following doubts:
> 1)
> I want to know whether there are any public LDAP CRL servers.

There are. But this depends very much on the CA certs you are
trusting. Some certs have extended attributes which points to CRL
distribution points (see RFC2459). Most times these attributes
points to HTTP servers.

> If there are any such, I would also like to know additional information
> like the ip address of the public LDAP CRL server etc., needed to connect
> to the server and get the CRLs from the server.

Hmm, I can name some servers but this won't help you. Which certs do
you want to check?

> 2)
> I would also like to know something more about CRLs like how they are
> organised, what are the different attributes in the CRL and what it is like.

DER-encoded X.509 CRLs stored in attribute userRevocationList in
case for end-entity certs and authorityRevocationList for CA certs
(you might need to use sub-type ;binary on some servers to retrieve
them in binary format).

> 3)
> And I would also like to know the format of the data that is returned from
> the LDAP server, like whether each result returned contains a single record
> of the certificates with their atributes that are in the CRLs or the entire
> list of the certificates with their attributes or how it is.

This seems to me being more a question about the CRL format itself.

Refer to RFC2459 for getting an idea of how to parse the CRL. In
general you can download the DER-encoded CRL via HTTP or LDAP and
pass it right to your X.509 library.

> . I mean, I
> would like to know how the results are returned.

Hmm, I'm not quite sure if I understood your question. Maybe you
like to browse CRLs in LDAP for getting an idea of it. E.g. check
out an example entry:


Ciao, Michael.