[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL Distribution Mechanism Evaluation and Considerations

To: openldap-general@OpenLDAP.org
Subject: Re: CRL Distribution Mechanism Evaluation and Considerations
From: chuho@my.netvigator.com
Date: Mon, 06 Dec 1999 15:28:37 +0800

Dear Franklin,

Two points:

1. Your x-ref addresses are incorrect. Both links should be ended with 
htm instead of html, i.e.,

> By Phillip Hallum-Baker
http://csrc.nist.gov/pki/twg/papers/hallum-baker.htm

> By Mike Myers
http://csrc.nist.gov/pki/twg/twg98_6.htm

2. I believe that Thawte supports HTTPS; yet no idea if they support 
LDAP over SSL.

Thanks and hope it helps.

>From: "Franklin Lee" <franklinlee@hotmail.com>
>To: michael.stroeder@inka.de, openldap-general@OpenLDAP.org
>Subject: Re: CRL Distribution Mechanism Evaluation and Considerations
>Date: Mon, 06 Dec 1999 01:56:52 GMT
>
>Thanks a lot for Michael's prompt response.
>
>Actually, I'm a student in the Mainland China having a reserach on 
>the "Digital Certificate" applications and limitations --- 
>e-commerce and cryptograhpy are still relatively new to our region.
>
>Regarding the CRL distribution mechanism, I have found few topics 
>yet there are of 98 versions:
>
>a) Phillip Hallum-Baker
>http://csrc.nist.gov/pki/twg/papers/hallum-baker.html
>
>b) Mike Myers
>http://csrc.nist.gov/pki/twg/twg98_6.html
>
>Therefore, would be greatly appreciated for the comments and advice 
>for the knowledge leads.
>
>Again, thanks a lot.
>
>Rgds,
>Franklin
>
>>From: Michael Ströder <michael.stroeder@inka.de>
>>To: openldap-general@OpenLDAP.org
>>Subject: Re: CRL Distribution Mechanism Evaluation and 
>>Considerations
>>Date: Sun, 05 Dec 1999 18:46:52 +0100
>>
>>Franklin Lee wrote:
>> >
>> > I'm interested in all experts' views on evaulating the 
>>distribution of
>> > the CRL(Certificate Revocation List) using LADP over SSL instead 
>>of the
>> > other
>> > mechanisms, e.g., HTTPS (HTTP over SSL) regarding the different 
>>aspects,
>> > for example,
>>
>>You don't have to secure the transport of CRLs with e.g. SSL
>>because the CRL
>>1. contains public data (serial numbers of revoked certs).
>>2. is also a certificate issued by the CA => non repudiation is 
>>already
>>garanteed by the CA's signature.
>>
>> > - what are the key considerations (e.g, performance, 
>>infrastructure) for
>> > choosing either protocol?
>>
>>The key consideration is the client's software. The client has to 
>>be
>>capable to retrieve the CRL. In my case I'm providing the 
>>certificates
>>and CRLs through HTTP and LDAP. But I put the HTTP-URL as CRL
>>distribution point in the certificates itself because most 
>>certificate
>>using client software has support for HTTP but not for LDAP.
>>
>>But the main problem is how to motivate the client to retrieve an
>>initial or a new CRL? Most times this is done by the client 
>>software by
>>not allowing certificate usage if the CRL is expired. Unfortunately 
>>most
>>client software does not support the user very well understanding 
>>CRLs.
>>E.g. Netscape Communicator mentions that it "cannot connect to 
>>secure
>>server" if you want to encrypt an e-mail with an e-mail certificate 
>>for
>>which the CRL is expired. :-(
>>
>>Ciao, Michael.
>>
>>P.S.: The mailing-list openssl-users@openssl.org might be a better
>>discussion forum for this question.
>
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com

Prev by Date: help with schema please!
Next by Date: Re: CRL Distribution Mechanism Evaluation and Considerations
Index(es):
- Chronological
- Thread