On Mon 07-08-13 20:19, Alan Sill wrote: > Too-short answer: See RFC 3280. > > Probably long-enough answer: It is built into OpenSSL, and thus > inherited into Globus, but the details for fetching and enforcing the > CRLs depend on your grid middleware. > > Maybe too long an answer, since you are probably not asking about > trust fabric issues: > > The effect of the CRLs is to provide a revocation list against which > subject DNs can be checked. If you use these, you should be sure to > keep the CRLs up to date. Many grid middleware distributions, such > as the VDT, GLite, CaGrid, etc., used by large-scale grid projects > include tools to fetch the CRLs for the CAs trusted in the context of > their organizations. [snip] > Hope this helps.
I've taken a very brief look at RFC 3280, and I don't *think* it answers the question I was asking. I think the question I asked was narrower than the one you answered. Suppose I want to recognize a CA with hash 12345678. So, I install the certificate (12345678.0) and signing policy (12345678.signing_policy) files in /etc/grid-security/certificates, but I also want to reject any attempt to use a certificate that's been revoked. The usual way to do this is to install the CRL, 12345678.r0, in /etc/grid-security/certificates; this requires some process to update it periodically, ideally whenever the CA updates it. If I install just 12345678.crl_url *instead of* 12345678.r0, does Globus pay any attention to the 12345678.crl_url file, or is it just as if I had installed only 12345678.0 and 12345678.signing_policy? I'm fairly sure that Globus will just ignore the 12345678.crl_url file, but I want to be certain on this point. A separate question: Do some third-party tools outside of Globus use *.crl_url files? If so, which ones? You mentioned VDT, GLite, and CaGrid; do they use *.crl_url files or some other method. (My own gx-map package includes a tool called gx-ca-update which automatically downloads, verifies, and updates CRLs, but it's driven by a description file for each CA, not by *.crl_url files. It's used on TeraGrid.) -- Keith Thompson <[EMAIL PROTECTED]> San Diego Supercomputer Center <http://users.sdsc.edu/~kst/> 858-822-0853 "We must do something. This is something. Therefore, we must do this." -- Antony Jay and Jonathan Lynn, "Yes Minister"
