|

»

»

mod_ssl - Users

Partitioned CRLs

View: New views

3 Messages — Rating Filter: Alert me

	Partitioned CRLs by Nuno Ponte-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, We are running a CA that has thousands of revoked certificates, which leads to CRLs of several MBytes. On the next nenewal of the CA, we are thinking of partitioning the CRLs at each X number of issued certificates. The issued certificates will have different CRL Distribution Points (CDP) according to the partitions they are assigned. For example, for X=100, from certificate 1 to certificate 100, the CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. My question: Is mod_ssl/openssl prepared to support partitioned CRLs like the way described? In particular, if CRLs are cached, mod_ssl must be able to merge several different partitions according to the CDP to create a unified view over the revocation universe of a CA. Regards, Nuno Ponte ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@...
	Re: Partitioned CRLs by Cuesta Gilles :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Nuno Ponte a écrit : > Hi, > > We are running a CA that has thousands of revoked certificates, > which leads to CRLs of several MBytes. > > On the next nenewal of the CA, we are thinking of partitioning the > CRLs at each X number of issued certificates. The issued certificates > will have different CRL Distribution Points (CDP) according to the > partitions they are assigned. > > For example, for X=100, from certificate 1 to certificate 100, the > CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 > to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. > CDP is embedded when creating certificate, so it might be possible (client side). Server side, you can stack as many crl as you want into either a single file, or a directory (using hashing) and point to it into Apache. But you may apply a patch for multiple identical DN handling. http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3 Why didn't you implement OCSP into Apache ? http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I didn't test it anyway) -- La Joconde ne sourit pas devant Chuck Norris. Gilles CUESTA - Logiciels Libres 69139920 signature.asc (260 bytes) Download Attachment
	Re: Partitioned CRLs by Nuno Ponte-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi Gilles, Thanks for your reply! :-) The CA also offers OCSP, which is obviously the preferred way to validate certificate status. I am just trying to make sure that there is support from the "applications world" to such a CRL partitioning scheme. Wide interoperability is a key goal. Regards, Nuno Ponte On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles <gilles.cuesta@...> wrote: > Nuno Ponte a écrit : >> Hi, >> >> We are running a CA that has thousands of revoked certificates, >> which leads to CRLs of several MBytes. >> >> On the next nenewal of the CA, we are thinking of partitioning the >> CRLs at each X number of issued certificates. The issued certificates >> will have different CRL Distribution Points (CDP) according to the >> partitions they are assigned. >> >> For example, for X=100, from certificate 1 to certificate 100, the >> CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 >> to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. >> > CDP is embedded when creating certificate, so it might be possible > (client side). > > Server side, you can stack as many crl as you want into either a single > file, or a directory (using hashing) and point to it into Apache. > But you may apply a patch for multiple identical DN handling. > http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3 > > Why didn't you implement OCSP into Apache ? > http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I > didn't test it anyway) > > -- > La Joconde ne sourit pas devant Chuck Norris. > Gilles CUESTA - Logiciels Libres > 69139920 > > > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@...