Too-short answer: See RFC 3280.
Probably long-enough answer: It is built into OpenSSL, and thus
inherited into Globus, but the details for fetching and enforcing the
CRLs depend on your grid middleware.
Maybe too long an answer, since you are probably not asking about
trust fabric issues:
The effect of the CRLs is to provide a revocation list against which
subject DNs can be checked. If you use these, you should be sure to
keep the CRLs up to date. Many grid middleware distributions, such
as the VDT, GLite, CaGrid, etc., used by large-scale grid projects
include tools to fetch the CRLs for the CAs trusted in the context of
their organizations.
The basic technical response to your question is thus that it is up
to the middleware used by your project to request and apply CRLs and
to keep them up to date. Furthermore, if a CA does NOT supply and
*always* keep accessible a download point for CRLs, you should not
use that CA in your grid project (unless it is *very* closely held
and basically under your own control so that you know about any
problems with subject DNs that may arise). There are exceptions for
CAs that issue certificates that are known to be limited in time of
validity and so do not technically require a CRL. In fact, the IGTF
has whole authentication profiles written around this possible
approach. This strays into topics related to trust federations, how
to know what CAs to use and where to get them, etc.
Further information on CA best practices for grid use is available in
the Grid Certificate Profile document produced by the CAOps group of
the OGF, available at
https://forge.gridforum.org/sf/go/doc13741
The IGTF authentication profiles and distribution can be obtained at
http://gridpma.org
The IGTF distributions form the basis for most (at least many) large-
scale grid projects and are incorporated, including tools to fetch
and apply CRLs, into grid middleware distributions such as those
mentioned above.
Hope this helps.
On Aug 13, 2007, at 6:48 PM, Keith Thompson wrote:
Some certificate authorities distribute files with names of the
form <hash>.crl_url. These are one-line text files containing the
URL from which the CRL (<hash>.r0) can be downloaded.
Does Globus make any use of these files, or is it left up to
third-party tools (<PLUG>such as gx-map</PLUG>) to manually download
and install the CRLs?
Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: [EMAIL PROTECTED] ph. 806-742-4350 fax 806-742-4358 :
====================================================================
