>> Let's find the best solution together here... any suggestions? > > I've reviewed the code for the X509CredentialsAuthenticationHandler > class and it looks very straightforward to add an additional property > for a CRL and an additional check in the authenticate method to verify a > certificate against the provided CRL. I suppose we would check _all_ > the certificates in the chain for validity against the CRL and raise an > exception, similar to X509Certificate.checkValidity, if any has been > revoked. Does this sound feasible? Any caveats we should be aware of > with this approach?
Yes, you should check every certificate in the chain, although it is unlikely that a CA certificate is going to be revoked (however this would require immediate action because of the danger!!). My biggest worry is to combine several CRL files. If it's going to be an n*m lookup then performance must suffer badly (depending on your PKI structure)... Note that even the Tomcat connectors do not support multiple CRL files. I haven't been able to look into it more in detail, but that will certainly happen in the near future. Please keep the community up-to-date with your findings so they can be used for the next CAS releases. -- Velpi _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
