Re: Multiple CRLs with same CA
Hello there, Thanks a lot for your help and input. Actually i found a solution to the problem. Entrust allows partitioned CRLs by default (CRLs are splited for scalability purposes) but you can enable the combined CRL which will not be splitted (for compatibilty, as the partioned CRL is only an option in the standard). So this one works well with openssl/mod_ssl. Those 2 CRLs (combined and partitioned) will work both at the same time without problems. If you want more info on that, don't hesitate to ask me. Cheers, Alec From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[no subject]
Hello Rich, Do you have more information about OCSP? Do you think it could solve my problem? Regards, Alec No, openssl does not yet support the (infinite:) ways to split CRL's that Entrust likes. OCSP is simpler. :) /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re:
Hello Rich, Thanks for the tip. Alec From Rich Salz [EMAIL PROTECTED] on 12 December 2001 9:46:13 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Using OCSP transfer the complexity of CRL processing from all clients to a few servers. Entrust believes in CRLs :), so I don't think they have an OCSP responder. You'd need to find one that understood the various CRL extensions used by Entrust. (Or implement it yourself for your clients, of course.) As for how to find such a product, I would post a brief note on the IETF PKIX mailing list askign for pointers to a product that can handle the various Entrust CRLs. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello Lorrayne, Thanks for your input. By any chance, do you know if i can use OCSP with an Entrust CA (instead of CRLs)? Regards, Alec From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Multiple CRLs with same CA
Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Regards, Alec Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello Mads, Thanks for your answer. I took a look to the web page of mod_authz_ldap but couldn't figure out how it could help me, can you explain me a bit more your thoughs? Regards, Alec From Mads Toftum [EMAIL PROTECTED] on 11 December 2001 23:45:53 To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote: Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable solution in an Entrust setup. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Having the possibility to get the policy of the certificate for cgis
Hello there, What do you think of the idea of being able to get certificate policy (SSL_CLIENT_CERTPOL) available for cgi? This would enable some more checking on the web side. I'm actually using a modified version of mod_ssl 2.7.1-1.3.14 which does that and it's a must. I could send the patch for version 2.7.1-1.3.14 if anybody is willing to work on it (i didn't make it and cannot make it work with the new version). Cheers, Alec Alec Barea Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]