> However you could (should) configure CRL at the level of the (http) > connector at > the Servlet Container. If you're using Tomcat, then I *think* it might > be wise > to switch to the APR for this.
This sounds like a feasible option -- thanks for pointing it out. > I've been investigating OCSP.... It has some advantages over CRL (and > disadvantages off course) I will look into this, but due to our PKI it's unlikely we would support anything other than CRL > Let's find the best solution together here... any suggestions? I've reviewed the code for the X509CredentialsAuthenticationHandler class and it looks very straightforward to add an additional property for a CRL and an additional check in the authenticate method to verify a certificate against the provided CRL. I suppose we would check _all_ the certificates in the chain for validity against the CRL and raise an exception, similar to X509Certificate.checkValidity, if any has been revoked. Does this sound feasible? Any caveats we should be aware of with this approach? Thanks, Marvin _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
