We are looking at using Client Certs via an internal CA as a cheap way of strong authentication (SecurID costs are killing us!)
Obviously we'll have to introduce processes by which leaving staff have their certs revoked, and have quick turnaround on revoking certs when a user reports them lost (yeah, right... :-/) Anyway, I can't think of a way of getting the server to check revocations other than uploading the crl.pem hourly/daily from the CA to each SSL server. This is possible, but I wondered if there is a better way of doing it, or is that how this is meant to be done? I mean, that doesn't look like it'd scale very well... If that is true, can I imply from this that revocation checks basically aren't done on the Internet today? -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
