On 07/21/2011 01:34 PM, James Bowes wrote:
On Thu, Jul 21, 2011 at 11:56:48AM -0400, Bryan Kearney wrote:
James.. thoughts?
-- bk
CRL works for me. now, otoh, thumbslug has to call home to candlepin to get the matching upstream cert for whatever client cert was used, before we can forward the request, so as I think of it, that might just be able to handle the revocation for us. No matching upstream cert response = client cert has been revoke.
If we cache the upstream certs on thumbslug though, we might need the CRL, too. Regardless, CRL sounds good. Less complicated than OCSP ;)
ok.. crl it is. Assume CP will write it out to known location. ts/pulp do the needeful to monitor and reload.
-- bk