James.. thoughts?
-- bk
-------- Original Message -------- Subject: Re: [Pulp-list] Candlepin and Certificate Revocation Date: Thu, 21 Jul 2011 11:55:46 -0400 From: Bryan Kearney bkearney@redhat.com To: Jason L Connor jconnor@redhat.com CC: pulp-list@redhat.com
On 07/21/2011 11:24 AM, Jason L Connor wrote:
Disclaimer: I haven't done any work with Candlepin integration or even our certificate based authorization. So this email is going to be a bunch of "thinking out loud", if you will.
It looks like the functionality is boiling down to batch vs single certificate revocation.
well.. batch transmission of data, still checking per request to pulp
In either case I prefer standards compliance over non-, so I don't like the custom option.
+1
I guess it's a trade off of how fine-grained, time-wise, we want certificate revocation to be vs. how much do we want to talk over the network.
I think we can live with daily, or perhaps every 6 hours or so.
I like the batch operation (CRL) as it doesn't need to check the status of a certificate with candlepin at the same time as fielding a request from a client. However, depending on how often the revocation list is generated, the information pulp has at any given time for a certificate may be out of date.
If we can keep the time granularity on certificate revocation sufficiently coarse or we're willing to live with sufficiently short periods of time in which we have dated certificate information, I think this solution is the best.
If we cannot, we should move to OCSP.
I am fine with CRL if you guys are. Lemme check with the thumbslug folks.
-- bk
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list