Hello. On 2009-07-13 12:15:21, Goetz Babin-Ebell wrote: > Do you also control client certificate generation ? > > With that you could configure the server to only accept client > certificates issued by your own CA and set the user name in the client > certificates subject name. > > This way you would only have to store your CA certificate and the CRL > for all client certificates that became invalid on the server.
I believe I will be, but what are my options if I don't control cert generation? I think this is why I considered caching copies of client certs first of all - I can't verify the identity of an untrusted cert but I can at least check that the user presents the same cert next time. > If you accept client certificates issued by foreign (not controlled by > you) CAs, you would have to find a way to map between certificate and user. > Here would be a mepping from issuer name / serial number of the client > cert sufficient... Right, I'll keep that in mind. xw ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
