Multiple CRLs with same CA
Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Regards, Alec Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Multiple CRLs with same CA
Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Regards, Alec __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote: > Hello there, > > Is mod_ssl supporting having multiple CRLs for 1 CA? > It seems it's not, and that's very anoying in my situation. > I'm using Entrust PKI software which splits the CRL list when it reaches > a defined size (for scalability). mod_ssl seems to check only the first > CRL and don't care about the others, which means that users with > revocated certificates can use them... > Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable solution in an Entrust setup. vh Mads Toftum -- With a rubber duck, one's never alone. -- "The Hitchhiker's Guide to the Galaxy" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello Mads, Thanks for your answer. I took a look to the web page of mod_authz_ldap but couldn't figure out how it could help me, can you explain me a bit more your thoughs? Regards, Alec >From Mads Toftum <[EMAIL PROTECTED]> on 11 December 2001 23:45:53 To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote: > Hello there, > > Is mod_ssl supporting having multiple CRLs for 1 CA? > It seems it's not, and that's very anoying in my situation. > I'm using Entrust PKI software which splits the CRL list when it reaches > a defined size (for scalability). mod_ssl seems to check only the first > CRL and don't care about the others, which means that users with > revocated certificates can use them... > Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable solution in an Entrust setup. vh Mads Toftum -- With a rubber duck, one's never alone. -- "The Hitchhiker's Guide to the Galaxy" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
No, openssl does not yet support the (infinite:) ways to split CRL's that Entrust likes. OCSP is simpler. :) /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello Lorrayne, Thanks for your input. By any chance, do you know if i can use OCSP with an Entrust CA (instead of CRLs)? Regards, Alec >From "Schaefer,Lorrayne J." <[EMAIL PROTECTED]> on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Does Valicert support the various Entrust CRL extensions and partitioning? If not, then they're useless for this problem. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Yes, you can use OCSP with Entrust issued certificates. Lorrayne [EMAIL PROTECTED] wrote: > > Hello Lorrayne, > > Thanks for your input. > By any chance, do you know if i can use OCSP with an Entrust CA (instead of > CRLs)? > > Regards, > > Alec > > > > From "Schaefer,Lorrayne J." <[EMAIL PROTECTED]> on 12 December 2001 > 9:07:02 > To : [EMAIL PROTECTED] > Copy To : [EMAIL PROTECTED] > Subject : Re: Multiple CRLs with same CA > > Hi everyone. I was chatting with an Entrust engineer yesterday about > partitioned CRLs (this is where you can break it down my something such as > size). The only CA that currently do this to my knowledge is Entrust. > > I agree with Rich Salz's response. OCSP is a great way to go (and, > Valicert offers an Apache plug-in). :-) > > Lorrayne > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > > > > Alec Barea > PKI engineering team > Equant > Tel: +1 514 847-3436 > CVS: 225 3436 > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: > > Hello Lorrayne, > > Thanks for your input. > By any chance, do you know if i can use OCSP with an Entrust CA (instead of > CRLs)? > > Regards, > > Alec > >________ > > From "Schaefer,Lorrayne J." <[EMAIL PROTECTED]> on 12 December 2001 > 9:07:02 > To : [EMAIL PROTECTED] > Copy To : [EMAIL PROTECTED] > Subject : Re: Multiple CRLs with same CA > > Hi everyone. I was chatting with an Entrust engineer yesterday about > partitioned CRLs (this is where you can break it down my something such as > size). The only CA that currently do this to my knowledge is Entrust. > > I agree with Rich Salz's response. OCSP is a great way to go (and, > Valicert offers an Apache plug-in). :-) > > Lorrayne > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > > > > Alec Barea > PKI engineering team > Equant > Tel: +1 514 847-3436 > CVS: 225 3436 > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Valicert has listed Entrust as one of its partners. I would assume that would mean that Valicert can interoperate with Entrust issued certificates. Lorrayne Rich Salz wrote: > > Does Valicert support the various Entrust CRL extensions and > partitioning? > > If not, then they're useless for this problem. > /r$ > > -- > Zolera Systems, Your Key to Online Integrity > Securing Web services: XML, SOAP, Dig-sig, Encryption > http://www.zolera.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
> Valicert has listed Entrust as one of its partners. I would assume that > would mean that Valicert can interoperate with Entrust issued > certificates. I think it is stretching things to say that partnership implies full parsing of the various Entrust CRL's. How many partnerships do you know where full implmenetation or interop is implied? :) /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Rich, I'll check w/ an Entrust engineer today to see if I can get an honest (ha!) answer from him regarding your concerns. Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
i'd ask a valicert person, actually. -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello there, Thanks a lot for your help and input. Actually i found a solution to the problem. Entrust allows partitioned CRLs by default (CRLs are splited for scalability purposes) but you can enable the combined CRL which will not be splitted (for compatibilty, as the partioned CRL is only an option in the standard). So this one works well with openssl/mod_ssl. Those 2 CRLs (combined and partitioned) will work both at the same time without problems. If you want more info on that, don't hesitate to ask me. Cheers, Alec >From "Schaefer,Lorrayne J." <[EMAIL PROTECTED]> on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]