Julien VEHENT wrote:
I don't want to use HTTP just because web server are to much attacked.
Moreover,
OCSP is very interesting for the student that i am :)
OK so if i use a "boring script" which request 100 serial in one
line, what is
the correct syntax to generate a CRL using the OpenSSL OCSP request ?
I don't think you can do what you want anyway - you have a chicken-n-egg
problem.
As far as I'm aware, an OCSP environment implies the following. You
(e.g. the HTTPS server) are asked to interact with a remote cert, you
can tell it was signed by a CA you trust - but you don't know if it
hasn't been revoked. So you call OCSP and say "is serial 7423342 still
valid" and it answers yes or no.
So for you to dump all the revoked certs contained within a OCSP db,
you'd need to know all of the serial numbers in advance. And the only
thing that know all the assigned serial numbers - is the CA itself. So
now what do you do? Log into the CA and dump the serial numbers, copy
them over to the box and then use OCSP to recursively do the lookups?!?!
A waste of time - you could have just grabbed the CRL file in the first
place.
What we do is have a distribution of "CRL Servers". Simply Apache server
with a copy of our CRL (rsync'ed onto the Apache servers from the CA on
an hourly basis). As Stephen said, all CRLs are digitally signed by the
CA - so THEY CANNOT BE ALTERED.
Worst case scenario is that the Web server is compromised and...? The
CRL is deleted...? Corrupted? It can't be altered. I mean if you're Web
server is compromised, the integrity of your CRL file is irrelevant
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]