Re: pki - CRL questions

You approach sounds like it may be pretty extreme. You haven't mentioned
why you even want to use PKI. You have decided on the three tier approach,
before you have these other questions answered. I think you might want to
keep an open mind about that part, and design from a services approach
first, then plan your architecture. Making early mistakes with PKI
deployment is expensive.

If you are securing web sites or e-mail that is accessed from the internet,
then you need to make your CRLs accessible from the internet. If you don't
need this now, you probably will in the future. If you ever partner with
other companies, PKI can be a real cost saver. Because of this, you need to
plan early on what URI will be embedded in certificates from the very
beginning.

You sound like you are deploying for a very large organization. You
probably will want to use OCSP (Online certificate status protocol) instead
of CRL. OCSP products from Tumbleweed will give you an amazing amount of
flexibility it this area, and is used by the U.S. military and government.
Microsoft relies on third party solutions for OCSP.

Paul Nelson
Thursby Software Systems, Inc.


in article 9A4A72AB-4203-4555-A81D-D70D22B7B12D@xxxxxxxxxxxxx, Ben at
Ben@xxxxxxxxxxxxxxxxxxxxxxxxx wrote on 11/13/06 9:15 AM:

Designing a basic w2k3 pki for internal purposes. Three tier (root &
intermediate offline, enterprise isuing). Might be expanded to support
external (outside AD forest, outside internal WAN) use in the near future.
Do I need to publish CRL's and AIA to external accessible webservers from
the start, or can I start with internal publishing only?
Can the CRL publishing list be changed for all CAs (external HTTP address
added) without much reconfiguration at a later stage?
What is the preferred order, when using mostly AD integrated clients: ldap
or http first?
I want this design to be flexible, not directly needing an extra layer of
intermediate and issuing CA's when external used certs are needed, but also
want to prevent making irreversible decisions...


.

Relevant Pages

  • Re: freeradius: wer benutzt die crl?
    ... dass du Zertifikate dieser PKI revozierst? ... automatisch die alte crl gelöscht und eine neue erstellt. ... Wenn der Admin mal 3 Monate kein Zertifikat revoziert, ... musst du das erneuern der CRL auf andere Art sicherstellen. ...
    (de.comp.os.unix.networking.misc)
  • Re: A little off-topic: Looking for ideas re. CRL Checking and Tomcat
    ... I've been reading through the JSSE docs. ... > these docs mentioning CRLs and CRL checking. ... > of software that involves PKI. ... for maintaining a Certificate Revocation List (CRL for those who don't ...
    (comp.lang.java.programmer)
  • Re: Fighting stupidity
    ... do in a trivial amount of time? ... SSL certs have got to be the ... PKI, ... In general and in the context of WWW Internet, ...
    (sci.crypt)
  • Re: freeradius: wer benutzt die crl?
    ... CRL Caching beisst dich da. ... Informationen einer CRL fuer die Lebensdauer der CRL cachen. ... Wenn das Zertifikat ausschliesslich fuer IEEE802.11i verwendet werden ... Wenn es ausschliesslich eine PKI nur fuer WLAN/RADIUS ist, ...
    (de.comp.os.unix.networking.misc)
  • Re: [Full-disclosure] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
    ... time to stop ignoring CRLs before something more serious goes wrong? ... despite the security implications, so my take away would be that the current public key infrastructure is flawed. ... IMO, it is bad practice to implement only half of a protocol/standard for any reason, but that is what using certificates without CRL checking amounts to. ... If we believe that the current PKI was truly flawed, it would be an act of gross negligence to use it for anything requiring a properly secured communication channel. ...
    (Full-Disclosure)