Re: Partitioned CRLs
Thanks for your reply! :-)
The CA also offers OCSP, which is obviously the preferred way to
validate certificate status. I am just trying to make sure that there
is support from the "applications world" to such a CRL partitioning
scheme. Wide interoperability is a key goal.
On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles <firstname.lastname@example.org> wrote:[color=blue]
> Nuno Ponte a écrit :[color=green]
>> We are running a CA that has thousands of revoked certificates,
>> which leads to CRLs of several MBytes.
>> On the next nenewal of the CA, we are thinking of partitioning the
>> CRLs at each X number of issued certificates. The issued certificates
>> will have different CRL Distribution Points (CDP) according to the
>> partitions they are assigned.
>> For example, for X=100, from certificate 1 to certificate 100, the
>> CDP would be [url]http://myca.com/crl/myca-0001.crl[/url], from certificate 101
>> to 200 the CDP would be [url]http://myca.com/crl/myca-0002.crl[/url], and so on.
> CDP is embedded when creating certificate, so it might be possible
> (client side).
> Server side, you can stack as many crl as you want into either a single
> file, or a directory (using hashing) and point to it into Apache.
> But you may apply a patch for multiple identical DN handling.
> Why didn't you implement OCSP into Apache ?
> [url]http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch[/url] (I
> didn't test it anyway)
> La Joconde ne sourit pas devant Chuck Norris.
> Gilles CUESTA - Logiciels Libres
Apache Interface to OpenSSL (mod_ssl) [url]www.modssl.org[/url]
User Support Mailing List [email]email@example.com[/email]
Automated List Manager [email]firstname.lastname@example.org[/email]