Henry Nebrensky wrote on Mon 19/10/2009 19:34:
>On Tue, 6 Oct 2009, Stephen Burke wrote:
>
>> Testbed Support for GridPP member institutes
>>> [mailto:[log in to unmask]] On Behalf Of Henry Nebrensky said:
>>> There are check-boxes (now ticked!) in the Security section of the
>>> Advanced tab on Internet Options that say "check ... for revocation"
>>> but I've not chased down where they get their lists from.
It depends - if end entity certificates have a CDP (Certificate
Distribution Point) - this is a requirement for Grid CAs IIRC,
then browsers can use those to check their status via the CRL.
It would be interesting to know how this works for CA certificates:
does the CDP in a CA certificate (not a requirement) point to the
issuer's CRL (would be logical), or should it point to its own CRL
(as some say it should). Only experiments or inspecting the code
will reveal how it is processed.
> Importing the CRLs into Firefox at least brings up a dialog box that
> allows setup of automatic CRL downloads, but AFAICT the CRLs are only
> available via the complex EUGridPMA map route.
Not sure what you mean. The IGTF distribution contains the .info files
which countain the CRL URL for each CA. But the CRLs themselves are only
available from the CAs themselves.
Recently, the DoEScienceGrid CA as well as OSG Security have looked into
other ways of distributing CRLs - eg commercially available cloud storage.
DoEScienceGrid also had (perhaps they still have) an OCSP responder
covering all CRLs of all Grid CAs, but of course the grid middleware does
not understand OCSP.
Cheers
--jens
--
Scanned by iCritical.
|