> I understand this, and know how certificate and CRL works. When I said I'm > using LDAP from where I want to get user certificate, I thought in way that > each user has own certificate witch is stored in people entry on LDAP, but > also that certificate is stored in trusted keystore file.
That would fall under certificate verification. You would do it in lieu of a CRL check, for example. Again, it has nothing to do with proving whether the presenter of the certificate possesses the key; that is a vital computation and one that MUST be done via client SSL to ensure adequate security. > All I wanted is to > get certificate from signature, than get uid from certificate, and with that > uid to find user on LDAP, get certificate from LDAP's user entry and compare > them, also I'll check is certificate trusted and revoked. You can do as you like, but anything other than client SSL is likely to be more difficult to implement and harder to demonstrate it meets security requirements. If, on the other hand, you follow the recommendations of the wiki page I cited, you'll be on sound footing. > Is there any > documentation and examples about using X.509 and CRL's, and what I need to > test it (hardware token - can I use some keystore file for it)? Please search the list archives for discussion of CRL support. I described it recently and provided a fair bit of documentation citations; searching the Google Groups mirror likely provides the best search interface: https://groups.google.com/forum/?fromgroups#!forum/jasig-cas-user M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
