OpenSAML user discussion

["Christopher Brown" <>]

Title: RE: CRL question

You might want to take a look at OCSP.

 

---

From: [mailto:]
Sent: Monday, April 24, 2006 2:48 AM
To:
Cc:
Subject: RE: CRL question

 

 

It's for the authentication of users. The situation is the following:

The users can login to our website via a Federal service of the belgian government. Thus, all the login is not part of our application. The federal service sends (posts) a SAML message to our application with the info of the user and the status of the login (success, failed, etc.). We need to check the validity of the saml message before allowing the user to enter to our website. We manage quite sensitive information, so we cannot ignore the CRLs. Since this website is intended for the clients, 20-30 seconds waiting for the login is in the limit of the acceptable. That's why we want to (if possible) cache the CRLs, for diminishing that waiting time.

Thanks,
regards,
Miro

-----Original Message-----
From: Walter Hoehn []
Sent: vrijdag 21 april 2006 16:30
To:
Cc:
Subject: Re: CRL question

 

My experience is that most folks just pretend that CRLs don't exist 
and go merrily on their way.

Are you authenticating users or system entities with your 
certificates?  If it's the latter, I think it's easier just to dump 
the PKI and use bi-lateral trust.

-Walter

 

On Apr 21, 2006, at 6:54 AM, wrote:

>
> Hi all,
>
> We have implemented with opensaml the authentication mechanism of 
> our website. However, the time for the authentication is pretty 
> long (it takes about 20 seconds). We would like to cache the CRLs 
> in order not to connect to them every time via http.
>
> One possible solution is of course to download them and heep them 
> locally, but then we have the problem of the "next update" date. I 
> mean, we have to update each CRL regularly or when "next update" 
> indicates.
>
> has anyone had this situation and found maybe a solution?
>
> Thanks,
> Miro
>
>