Re: no CRLs

Wed, 1 Dec 1999 08:52:47 -0800 


-----Original Message-----
From: Pere Camps <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Wednesday, December 01, 1999 5:54 AM
Subject: no CRLs


>Hi All!
>
>        I'm in a situation where I know all my clients certs (I've also
>issued them) but I don't want to handle CRLs. The ideal thing would be to
>have all the users' valid certificates in a directory, and if the
>certificate isn't there, then even if the certificate was issued by my CA,
>the server should deny access to the pages.
>
>        Can this be acomplished easily?
>
>        Thanks for your help
>
>-- p.
>

The SSL package is not checking individual certs against preknown user
certificates.  it does need to have the CA's certificates so it can check
against the CA's public key.  It validates the signature, expiration date
and time and the issuer.  Certificate technology is really designed for
situations where trust has to be delegated.  If you have all the
certificates in advance, and you know which one has been revoked at the same
time without checking then CRL, you have to be your own issuer.

Come back to the topic, you are planning to check against non-revoked
certificates instead of revoked certificates. This is a lot of work.
Generally there are far less revoked than non-revoked certificates.
Preformance may be an issue when number of certificates get large.

As long as programming concerned, since this is not the way openssl checks
certificates, some code need to be written.  I won't recommended it anyway.
The amount of coding is not the issue.

Lin


>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>User Support Mailing List                      [EMAIL PROTECTED]
>Automated List Manager                            [EMAIL PROTECTED]
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>User Support Mailing List                      [EMAIL PROTECTED]
>Automated List Manager                            [EMAIL PROTECTED]
>

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to