DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=14104>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=14104 ------- Additional Comments From [EMAIL PROTECTED] 2006-05-23 12:58 ------- Hi All, I have also the same problem. You seems to forget the exact role of a CRL. Remember : CRL X509 format is a list of Revoked Certificates. Thus, the goal here is to stop the access to someone that has a revoked certificates. For a security point of view, waiting until the CRL Expiration date is not a good solution (can be 2 days or more). You put your business at risk. In fact, According to some PKI Policies (CSP - Cerificate Security Policies), depending of your working environment, (as in my case), the Revoked certificates must be blocked maximum 10 seconds after the effective revoke. Thus in my case, soon as the CRL has been updated, you have to reload it, and to block any access. This is not only special to my case, any companies (like insurrance,financial, ...) has these types of rules. More : A crl, on our case is published every 30 min, even if no revoke occurs (to avoid overwritte of our CRL and ensure that all chains is working). or immediately after a revoke. His expiration date (next update) is at least 48 hours (this is only for business continuity, to have time to make intervention in case of CRL distribution problem or whatever). More : We are also using Appliance Reverse proxy hardware, XML security Gateway, Software Application Firewall Hardware. All of them has these types of feature about the CRL. It load it, else based on a regular verification time (ie every 5 seconds), or immediatly after it detects the change. It's depends of the product. Why this will be different in Apache ? IIS of microsoft is working also like that. Regards -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
