Hi Gilles,
Thanks for your reply! :-)
The CA also offers OCSP, which is obviously the preferred way to
validate certificate status. I am just trying to make sure that there
is support from the applications world to such a CRL partitioning
scheme. Wide interoperability is a key goal.
Regards,
Nuno Ponte
On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles [EMAIL PROTECTED] wrote:
Nuno Ponte a écrit :
Hi,
We are running a CA that has thousands of revoked certificates,
which leads to CRLs of several MBytes.
On the next nenewal of the CA, we are thinking of partitioning the
CRLs at each X number of issued certificates. The issued certificates
will have different CRL Distribution Points (CDP) according to the
partitions they are assigned.
For example, for X=100, from certificate 1 to certificate 100, the
CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.
CDP is embedded when creating certificate, so it might be possible
(client side).
Server side, you can stack as many crl as you want into either a single
file, or a directory (using hashing) and point to it into Apache.
But you may apply a patch for multiple identical DN handling.
http://marc.info/?l=apache-httpd-devm=120350484626015q=p3
Why didn't you implement OCSP into Apache ?
http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I
didn't test it anyway)
--
La Joconde ne sourit pas devant Chuck Norris.
Gilles CUESTA - Logiciels Libres
69139920
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
