Hi Alex, actually I would suggest to NOT USE HTTPS for publishing CRLs. First of all, CRLs are signed, the authentication is in the data itself. Second of all, you may incur in a "I can't verify the SSL certificate presented by the server because I need the CRL in order to proceed".
This may not be an issue for a custom application like the OCSP server, but I guarantee that you'll have issues with other applications like browsers! DoD PKI Implementation guidelines are not really the best to follow if you want to provide good interoperability in an open environment (IMHO)... Later, Max Alex Agranov wrote:
Hi Eddy,Sorry for being not clear enough in my original mail.My fix adds support for CRL retrieval over HTTPS (and HTTP with authentication). Such requirement is pretty common and, for example, is listed in DoD PKI implementation guidelines.
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179
--o------------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ OpenCA-Devel mailing list OpenCA-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel
