On Wed, Jun 05, 2002 at 02:47:12PM +1200, Jason Haar wrote: > We are looking at using Client Certs via an internal CA as a cheap way of > strong authentication (SecurID costs are killing us!) > > Obviously we'll have to introduce processes by which leaving staff have > their certs revoked, and have quick turnaround on revoking certs when a user > reports them lost (yeah, right... :-/) > > Anyway, I can't think of a way of getting the server to check revocations > other than uploading the crl.pem hourly/daily from the CA to each SSL > server. This is possible, but I wondered if there is a better way of doing > it, or is that how this is meant to be done? I mean, that doesn't look like > it'd scale very well...
Depending on exactly how many certs you're expecting to expire, this should still work fine for a couple of thousand users. I suppose you could even remove certs from the crl once they've expired (since they will still be rejected). As an alternative you could use http://authzldap.othello.ch/ > > If that is true, can I imply from this that revocation checks basically > aren't done on the Internet today? > No. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
