shibboleth-dev - Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies)
Subject: Shibboleth Developers
List archive
- From: "Reimer Karlsen-Masur, DFN-CERT" <>
- To:
- Subject: Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies)
- Date: Tue, 04 Jul 2006 09:40:55 +0200
Scott Cantor wrote:
>> Would the following metadata file excerpt (which I contructed
>> reading the schema files) work?
>
> I don't think RetrievalMethod is supported. It could be, but it's pretty
> worthless in this context.
In an earlier email you mentioned that I can put CRL stuff embedded in
proper XML structures in a separate file (that is how I read the following):
>>> There is no support for pulling CRLs from a file because there's no XML
>>> Signature syntax for doing that. There's one for indirecting to a file
>>> containing a <ds:X509CRL>, but that's not really too helpful since CRLs
>>> don't come that way from CAs.
So what XML elements did you mean if not RetrievalMethod?
...
>> If CRLs are stored in other files than the metadata file using the
>> RetrievalMethod element will Shibboleth notice an updated CRL if the
>> metadata file has not been updated?
>
> CRLs CANNOT be stored in other files. And if they could, the answer would be
> no, which is why we won't. So if you want this, there's the API and you're
> welcome to do it.
See above. What did you mean when talking about the indirection?
>> One does not want to do certificates for ClientAuth validated only via CAs
>> without checking for revoked ones against an up-to-date CRL, using OCSP or
>> other means.
>
> Right, so PKI is a bad idea here. Nobody will do what you're describing, so
> I think we have our answer. Most of the core team was already of this
> opinion, I was one of the few who still waffled a little. But I have to
> concede the point now.
You read me wrong here. Shibboleth and PKI from what I get out of this
discussion is working. Obviously you need to get up-to-date CRLs. But that
is not a problem from well run & managed PKI. And building a new metadata
file with these updated CRLs is just another part of the script fetching the
CRLs.
Regards
Reimer
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
https://www.dfn-cert.de, +49 40 808077-615 / +49 40 808077-555 (Hotline)
PGP RSA/2048, 1A9E4B95, A6 9E 4F AF F6 C7 2C B8 DA 72 F4 5E B4 A4 F0 66
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/03/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/03/2006
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/04/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/04/2006
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/05/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/05/2006
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/05/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/04/2006
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/04/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/03/2006
Archive powered by MHonArc 2.6.16.