[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and LDAP

To: ietf-pkix@xxxxxxx
Subject: Re: OCSP and LDAP
From: Massimiliano Pala <madwolf@xxxxxxxxxxxxxxx>
Date: Sun, 05 Jan 2003 11:26:34 +0100
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: OpenCA
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130

Hi all,

I am quoting one answer for all as it seems them all share the same
vision.

Ambarish Malpani wrote:

Hi Massimiliano,
    You should seriously consider having your responder work off a
CA's CRL, rather than trying to access its database directly.


Well, our approach is towards the usage of an off-line CA so my
problem is that usually the CRL could be not up to date to the latest
status of the certificate (let's say a user request its certificate
to be revoked, from this time to the time the CRL will be issued
there could be a time gap during which I want the certificate
to be reported as invalid -- let's say with the onHold reason).

For this reason I need some more information rather than the only
CRL.

There is another question about this approach: if the client request
the status of one certificate with a serial that is not within the CRL,
should not the responder check for it (i.e. its existance?) and
if it does not have informations about it return an "unknown"
answer ?

There are a set of reasons why this is a good idea. Here are are
few (in no particular order):
- CA independence (might not be important for you)

This is one of the most important reason that drives my questions.

- Helps auditability of the VA
- Allows better control over replication (where you don't need
	to rely on LDAP replication - most CAs won't want to
	replicate the rest of their LDAP data)
- Better performance - can keep the revocation data in memory and
	respond from memory - won't need to also have a LDAP lookup


I know, indeed we actually use a single file generated from the
certificates' db that is read by the responder and kept in memory,
but as the number of certificates grows and in case of a spawning
process approach used memory grows and performance drop.

IMHO I guess I need the latest CRL and the latest CSL (list of
"suspended" certificates -- i.e. certificates that for any reason
"could" be revoked but them are not, yet).

From your answers I guess there is no reference on how to store
this information onto LDAP.

Do you think the best method could be storing a single pkcs7 file
with all the information into the main ca entry onto LDAP (and
when the CA updates the information, the OCSP will update its
internal data) or it is best having a field in the user's entry ?

Thanks to all of you for your answers.

--

C'you,

Massimiliano Pala

--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                madwolf@xxxxxxxxxx
                                                 Tel.:   +39 (0)59  270  094
http://www.openca.org                            Fax:    +39   178  221 8225
http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- RE: OCSP and LDAP
  - From: Simon Tardell

References:
- RE: OCSP and LDAP
  - From: Ambarish Malpani

Prev by Date: Re: OCSP and LDAP
Next by Date: Re: OCSP and LDAP
Previous by thread: RE: OCSP and LDAP
Next by thread: RE: OCSP and LDAP
Index(es):
- Date
- Thread