On Sun, Nov 24, 2002 at 09:29:09PM -0800, Jimi Thompson wrote: > It is also interesting to note that for practical purposes Certificate > Revocation Lists are invalid. While they do exist and are part of the > standard, very few applications are written to take advantage of them. Once > a certificate is issued, it is "good" until its expiration date, if one was > set.
Indeed - a fact that never fails to astound me. We were looking at buying a reverse-proxy that would allow us to make available some of our internal Web apps from the Internet, which the requirement that a valid SSL client cert be presented first. In order to control which client certs were valid, we have to relying on CRL so that we can (e.g.) revoke a client cert when someone's laptop is stolen. *NONE* of the commercial offerings we looked at supported CRLs... I can't believe they could claim to support HTTPS and especially client certs without also supporting CRL. But they are still plugging their products... Jason, There is actually a somewhat unwieldly work around for this using an extended LDAP schema. It goes something like this. Use LDAP authentication but extend the LDAP schema to include the certificate. If the authentication request doesn't match the cert in the schema, you don't get to play. It's the closest I've been able to come to actually getting a working CRL. I agree that it is ridiculous that the commercial products don't perform better, but we live in a world where people run Windows firewalls. Consumers are willing to accept crap. What can I say.... My best advice is to cook up your own home grown solution and then complain loudly to everyone who will listen. The mailing list you will likely want to join and do your carping on is [EMAIL PROTECTED] Work is in progress on the "new and improved" PKI standard. Become part of the solution. HTH, Jimi ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]