Re: Generate a CRL from an OCSP request

[Julien VEHENT]

Jason Haar <[EMAIL PROTECTED]> a �crit :

Julien VEHENT wrote:

I don't want to use HTTP just because web server are to much
attacked. Moreover,
OCSP is very interesting for the student that i am :)

OK so if i use a "boring script" which request 100 serial in one
line,  what is
the correct syntax to generate a CRL using the OpenSSL OCSP request ?

I don't think you can do what you want anyway - you have a
chicken-n-egg problem.

As far as I'm aware, an OCSP environment implies the following. You
(e.g. the HTTPS server) are asked to interact with a remote cert, you
can tell it was signed by a CA you trust - but you don't know if it
hasn't been revoked. So you call OCSP and say "is serial 7423342
still valid" and it answers yes or no.

So for you to dump all the revoked certs contained within a OCSP db,
you'd need to know all of the serial numbers in advance. And the only
thing that know all the assigned serial numbers - is the CA itself.
So now what do you do? Log into the CA and dump the serial numbers,
copy them over to the box and then use OCSP to recursively do the
lookups?!?! A waste of time - you could have just grabbed the CRL
file in the first place.

What we do is have a distribution of "CRL Servers". Simply Apache
server with a copy of our CRL (rsync'ed onto the Apache servers from
the CA on an hourly basis). As Stephen said, all CRLs are digitally
signed by the CA - so THEY CANNOT BE ALTERED.

Worst case scenario is that the Web server is compromised and...? The
CRL is deleted...? Corrupted? It can't be altered. I mean if you're
Web server is compromised, the integrity of your CRL file is
irrelevant

Thanks for your very interesting answer...

Now I understand that the use of OCSP request with openvpn is not the
better way
for me...

Perhaps, in a next release, openvpn dev will include the ocsp support ;)





------------------------------------------------------------------
J. VEHENT
[EMAIL PROTECTED]




------------------------------------------------------------------
 Microgate      |      02.47.66.95.01    |     www.microgate.fr

binKPUps22wQV.bin
Description: Clef publique PGP