Re: Partitioned CRLs

Nuno Ponte a écrit :[color=blue]
> Hi,
>
> We are running a CA that has thousands of revoked certificates,
> which leads to CRLs of several MBytes.
>
> On the next nenewal of the CA, we are thinking of partitioning the
> CRLs at each X number of issued certificates. The issued certificates
> will have different CRL Distribution Points (CDP) according to the
> partitions they are assigned.
>
> For example, for X=100, from certificate 1 to certificate 100, the
> CDP would be [url]http://myca.com/crl/myca-0001.crl[/url], from certificate 101
> to 200 the CDP would be [url]http://myca.com/crl/myca-0002.crl[/url], and so on.
> [/color]
CDP is embedded when creating certificate, so it might be possible
(client side).

Server side, you can stack as many crl as you want into either a single
file, or a directory (using hashing) and point to it into Apache.
But you may apply a patch for multiple identical DN handling.
[url]http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3[/url]

Why didn't you implement OCSP into Apache ?
[url]http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch[/url] (I
didn't test it anyway)

--
La Joconde ne sourit pas devant Chuck Norris.
Gilles CUESTA - Logiciels Libres
69139920



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - [url]http://enigmail.mozdev.org[/url]

iD8DBQFI/alB545quQSHen8RArdaAKC/atxsv5bQCcT/ApjxGAhQ79M3lQCg1bRy
FpdtiJSkPaI707hlF0XRswg=
=4Y96
-----END PGP SIGNATURE-----