[jira] [Commented] (WSS-338) should set com....security.enableCRLDP when enableRevocation is true

Wed, 15 Feb 2012 21:29:33 -0800 

    [ 
https://issues.apache.org/jira/browse/WSS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209119#comment-13209119
 ] 

Freeman Fang commented on WSS-338:
----------------------------------

Hi colm,

Thanks for the reply.
But as I commented in WSS-339, we need enableCRLDP per service context, as 
different service may use different certificates issued by different CA, thus 
it's possible that use different certificates revocation check policies.

I'm going to introduce a new property enableCRLDP for WSHandler so that we can 
configure it per serivce easily, and use the solution I suggest in WSS-339, 
something like
synchronized (A Globel Lock Object from WSS4J) {
    set properties,
    validator.validate(path, param); // check if certificate is still valid
    restore properties
} 
in verifyTrust method, so that the property won't pollute the whole JVM 
context, this solution works by my test.

WDYT?

Best Regards
Freeman
                
> should set com....security.enableCRLDP when enableRevocation is true
> --------------------------------------------------------------------
>
>                 Key: WSS-338
>                 URL: https://issues.apache.org/jira/browse/WSS-338
>             Project: WSS4J
>          Issue Type: Improvement
>    Affects Versions: 1.6.4
>            Reporter: Freeman Fang
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6.5
>
>         Attachments: WSS-338.patch
>
>
> When we use CRL to do revocation certificate check, generally the 
> certificates can carry CRLDistributionPoints extension(which is http or ldap 
> url), but currently we can't use this CRLDistributionPoints in certificates 
> out of the box. It would be better that we can use CRLDistributionPoints out 
> of box. Simply set com.sun|ibm.security.enableCRLDP property as true when 
> enableRevocation ensure that we get chance to use the CRLDistributionPoints 
> in certificates and no necessary to specify 
> org.apache.ws.security.crypto.merlin.x509crl.file explicitly and whatnot for 
> Crypto instance.
> Set this property won't affect current logic, e.g., if there is no 
> CRLDistributionPoints in certificates then it still can use the crl file 
> specified by  org.apache.ws.security.crypto.merlin.x509crl.file

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to