Any comments from the pulp or thumbslug folks? -- bk
On 07/20/2011 12:30 PM, Bryan Kearney wrote:
Cross posting to pulp and candlepin lists. I apologize in advance. I am looking at how candlepin needs to communicate certificate revocation. The two main consumers I know of for this data are pulp (as part of katello) and thumbslug. In both cases, pulp and thumbslug are emitting a CDN interface and need to verify if a certificate presented to them are accurate. There are three main options that I have seen. Basic pros and cons below. I am looking for feedback from both camps as which they would prefer. I would like to agree on one model to limit testing issues. Certificate Revocation Lists (CRL) ================================== Candlepin generates CRLs which are read by Pulp/Thumbslug. Files are regenerated every X hours and need to be refreshed. Pros: (1) Candlepin does this already! (2) Standards compliant Cons: (1)As the tools are horzontally scaled, we need to design out how (1.1) Handle candlepin is on many machines (1.2) Handle when pulp/thumbslug is on different machines from candlepin Online Certificate Status Protocol (OCSP) ========================================= An OCSP responder exists which can return a yes/no for certificates. Pros: (1) Standards Compliant (2) Should solve the cross machine issues Cons: (1) More work for Candlepin (2) May need to implementing a "mirror list" type solution for finding candlepin Custom Wire Protocol ==================== Same model as OCSP, but custom protocol. Pros: (1) Should be easier to implement than OCSP (2) Should resolve the cross machine issues Cons: (1) Same as OCSP Comments from folks? -- bk
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
