shibboleth-dev - Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies)
Subject: Shibboleth Developers
List archive
- From: "Reimer Karlsen-Masur, DFN-CERT" <>
- To:
- Subject: Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies)
- Date: Wed, 05 Jul 2006 11:43:15 +0200
Scott Cantor wrote:
>> So what XML elements did you mean if not RetrievalMethod?
>
> I was talking about what XML Signature allows, not what was implemented.
Ok.
...
>> Obviously you need to get up-to-date CRLs.
>
> As Jim Fox noted, CRLs are the wrong idea for this kind of thing. We'd need
> real-time, but nobody is putting up any OCSP or XKMS stuff, so I'd say we
> need to start looking for other solutions here.
Real-time is what one should aim for when authenticating end-users via
client certificates against an IdPs SSO webpage.
When talking about Shibboleths inner architectural trust-fabric real-time is
nice but not necessary.
See the Grid community...: Recommended CRL refresh at least once a day.
Standard installations of widely deployed Grid projects download the CRLs
every 6 hours (plus some random minutes to avoid load peaks at the CDPs),.
In any case (real-time, CRL or metadata) there is always the slack from time
of compromise to the detection of it which - I guess - is much longer than
the slack that new metadata or CRLs are polled.
However if this data is pushed, it is the similar to real-time.
> If I have to go get a fresh metadata file to revoke a certificate, inline
> keys will work exactly as well, but are faster, simpler, and are more
> understandable. Furthermore, going back to the original thread, it gives me
> simple encryption support.
In real life the revocation of certificates happens very slowly even if the
subscribers are obliged to revoke a certificate immediately after detection
of a compromise or for other reasons. I don't know if the metadata inline
certificate model is helping to solve this...
Subscribers would need to turn up at two places: at the CA or RA to get the
certificate revoked and at the federations metadata file management.
--
Kind Regards
Reimer Karlsen-Masur
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
https://www.dfn-cert.de, +49 40 808077-615 / +49 40 808077-555 (Hotline)
PGP RSA/2048, 1A9E4B95, A6 9E 4F AF F6 C7 2C B8 DA 72 F4 5E B4 A4 F0 66
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/03/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/03/2006
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/04/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/04/2006
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/05/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/05/2006
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/05/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/04/2006
- Re: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Reimer Karlsen-Masur, DFN-CERT, 07/04/2006
- RE: On using CRLs in Shibboleth (was: Re: Encryption key strategies), Scott Cantor, 07/03/2006
Archive powered by MHonArc 2.6.16.