You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/05/23 14:58:14 UTC
DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=14104>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=14104
------- Additional Comments From benoit.lejeune@brutele.be 2006-05-23 12:58 -------
Hi All,
I have also the same problem.
You seems to forget the exact role of a CRL.
Remember : CRL X509 format is a list of Revoked Certificates. Thus, the goal
here is to stop the access to someone that has a revoked certificates.
For a security point of view, waiting until the CRL Expiration date is not a
good solution (can be 2 days or more). You put your business at risk. In fact,
According to some PKI Policies (CSP - Cerificate Security Policies), depending
of your working environment, (as in my case), the Revoked certificates must be
blocked maximum 10 seconds after the effective revoke. Thus in my case, soon as
the CRL has been updated, you have to reload it, and to block any access. This
is not only special to my case, any companies (like insurrance,financial, ...)
has these types of rules.
More : A crl, on our case is published every 30 min, even if no revoke occurs
(to avoid overwritte of our CRL and ensure that all chains is working). or
immediately after a revoke. His expiration date (next update) is at least 48
hours (this is only for business continuity, to have time to make intervention
in case of CRL distribution problem or whatever).
More : We are also using Appliance Reverse proxy hardware, XML security
Gateway, Software Application Firewall Hardware. All of them has these types of
feature about the CRL. It load it, else based on a regular verification time
(ie every 5 seconds), or immediatly after it detects the change. It's depends
of the product. Why this will be different in Apache ? IIS of microsoft is
working also like that.
Regards
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org