Re: [OpenCA-Devel] OCSPD - CDP usage [update]

Wed, 16 Nov 2005 12:30:03 -0800 

eirc dai wrote:
> Sorry for my bad english 
> I try to describe as below:
> 
> config client certifact verfiy 
>  at 1st ,build a config file maybe named ca.conf or combine with pound.conf 

pound.conf ???

> [CA]
>    name =
> 
> ............
> ..........
> the certifacte file name 
>   verify= 
> 
>   #0 - no crl
>   #1 - use a static crl file 
>   #2 - use a URL to retrieve  CRL 
>      URL=http://210.74.41.60/crl/CRLFile.crl
>   #3 -directory  based CDP  (crl distibute point)

Now it works this way:
- use the crl_url=<value> and based on the value the server will:
        file: -> load a static CRL from HD
        http: -> load a CRL from URL by using HTTP
        ldap: -> load a CRL from URL by using LDAP (v3)
  if no crl_url is provided AND the CA certificate is self-signed,
  it uses the CDP to get the URL for CRL download

>[...]
> when systen running ,download all CRLs based on CDP( baseDN and CDP filename 
> ) and user specify LDAP server ip:port.
>  while Client ask for verify 
> exact the CDP from client certs 

Well... on the server you usually do not have client certs.. especially if you 
are
running an OCSP for several CAs.

> look for current downloaded crl 
> if it is good,  use it to verify
> if it expired or donot exist   , try to download it

This already works. You can define the secs between checks on loaded CRLs and 
also
secs for periodic reloading (even if the CRL is still valid it does not mean 
there
are no new revocation information available...)

I do not know if I answered you, I am not sure I got your point... anyway let me
know if I am missing something here!


-- 

Best Regards,

        Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]      [EMAIL PROTECTED]
                                                Tel.:   +39 (0)11  564 7081
http://security.polito.it                       Fax:    +39   178  270 2077
                                                Mobile: +39 (0)347 7222 365

Politecnico di Torino (EuroPKI)
Certification Authority Informations:

Authority Access Point                                  http://ca.polito.it
Authority's Certificate:          http://ca.polito.it/ca_cert/en_index.html
Certificate Revocation List:              http://ca.polito.it/crl02/crl.crl
--o------------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to