Goetz wrote: I think your security model is broken. A CRL and with that the server clients can download it from is part of the chain of security of the CA. So theses servers must be on (best case) dedicated servers that are specially hardened for this usage.
These servers are a (potentially outsourced) part of the CA. So the CA needs this list anyway and can incorperate it into all certificates. Letting the client set the crlDistributionPoints may lead to something like: To check if the security of www.server.net is compromised, go to www.server.net and download the CRL. But if the security of this site is compromised, you can't trust any data you downloaded from it. What you can do is something like: * The CA generates the CRLs. * The CA sends the CRLs to a (fixed) known list of external servers clients can download them from. * On signing the CA incorperates this list of CRL download servers into the certificates. * Clients that want to download the CRL contact one of these servers. The server the client contacts to download the CRL is decided on the client. Bye Goetz Hello Goetz, Thank you for your comments and critics concerning my scenario. I’m analysing and trying to built up this scenario by order of my professor. So “it doesn’t make any sense” is an acceptable result as well ;) --“I think your security model is broken….” In this scenario the CRL shall be kept on the www.server.net. And this server is NOT a part of the CA’s security chain. The CA creates, signs and stores the CRL as usual. But in addition the CA also sends a copy of the CRL to www.server.net, which stores the CRL wherever it wants. (Pushing or pulling the CRL is not important to me.) --“But if the security of this site is compromised, you can't trust any data you downloaded from it.” For this reason the CA has to sign the CRL before sending it to www.server.net. When the site is compromised it won’t publish the current CRL. And a missing up-to-date CRL tells everbody that this site is compromised. I hope this idea is not too strange and I’m not telling to much nonsense ;) So I still have got the problem, that the certificate request shall include the CRL distribution point and that the CA has to “copy” it when signing the certificate without knowing the CRL DP in the forefront. I’m looking forward to get more comments, critics and probably the solution to my problem. Greetings domi -- View this message in context: http://www.nabble.com/crlDistributionPoints-in-a-certificate-request-tf3148251.html#a8749031 Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
