Re: CRL Distribution Mechanism Evaluation and Considerations

[Michael Ströder <michael.stroeder@inka.de>]

Franklin Lee wrote:
> 
> I'm interested in all experts' views on evaulating the distribution of 
> the CRL(Certificate Revocation List) using LADP over SSL instead of the 
> other
> mechanisms, e.g., HTTPS (HTTP over SSL) regarding the different aspects, 
> for example,

You don't have to secure the transport of CRLs with e.g. SSL
because the CRL
1. contains public data (serial numbers of revoked certs).
2. is also a certificate issued by the CA => non repudiation is already
garanteed by the CA's signature.

> - what are the key considerations (e.g, performance, infrastructure) for
> choosing either protocol?

The key consideration is the client's software. The client has to be
capable to retrieve the CRL. In my case I'm providing the certificates
and CRLs through HTTP and LDAP. But I put the HTTP-URL as CRL
distribution point in the certificates itself because most certificate
using client software has support for HTTP but not for LDAP.

But the main problem is how to motivate the client to retrieve an
initial or a new CRL? Most times this is done by the client software by
not allowing certificate usage if the CRL is expired. Unfortunately most
client software does not support the user very well understanding CRLs.
E.g. Netscape Communicator mentions that it "cannot connect to secure
server" if you want to encrypt an e-mail with an e-mail certificate for
which the CRL is expired. :-(

Ciao, Michael.

P.S.: The mailing-list openssl-users@openssl.org might be a better
discussion forum for this question.