James.. thoughts?
-- bk
-------- Original Message -------- Subject: Re: [Pulp-list] Candlepin and Certificate Revocation Date: Thu, 21 Jul 2011 11:55:46 -0400 From: Bryan Kearney bkearney@redhat.com To: Jason L Connor jconnor@redhat.com CC: pulp-list@redhat.com
On 07/21/2011 11:24 AM, Jason L Connor wrote:
Disclaimer: I haven't done any work with Candlepin integration or even our certificate based authorization. So this email is going to be a bunch of "thinking out loud", if you will.
It looks like the functionality is boiling down to batch vs single certificate revocation.
well.. batch transmission of data, still checking per request to pulp
In either case I prefer standards compliance over non-, so I don't like the custom option.
+1
I guess it's a trade off of how fine-grained, time-wise, we want certificate revocation to be vs. how much do we want to talk over the network.
I think we can live with daily, or perhaps every 6 hours or so.
I like the batch operation (CRL) as it doesn't need to check the status of a certificate with candlepin at the same time as fielding a request from a client. However, depending on how often the revocation list is generated, the information pulp has at any given time for a certificate may be out of date.
If we can keep the time granularity on certificate revocation sufficiently coarse or we're willing to live with sufficiently short periods of time in which we have dated certificate information, I think this solution is the best.
If we cannot, we should move to OCSP.
I am fine with CRL if you guys are. Lemme check with the thumbslug folks.
-- bk
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
On Thu, Jul 21, 2011 at 11:56:48AM -0400, Bryan Kearney wrote:
James.. thoughts?
-- bk
CRL works for me. now, otoh, thumbslug has to call home to candlepin to get the matching upstream cert for whatever client cert was used, before we can forward the request, so as I think of it, that might just be able to handle the revocation for us. No matching upstream cert response = client cert has been revoke.
If we cache the upstream certs on thumbslug though, we might need the CRL, too. Regardless, CRL sounds good. Less complicated than OCSP ;)
-------- Original Message -------- Subject: Re: [Pulp-list] Candlepin and Certificate Revocation Date: Thu, 21 Jul 2011 11:55:46 -0400 From: Bryan Kearney bkearney@redhat.com To: Jason L Connor jconnor@redhat.com CC: pulp-list@redhat.com
On 07/21/2011 11:24 AM, Jason L Connor wrote:
Disclaimer: I haven't done any work with Candlepin integration or even our certificate based authorization. So this email is going to be a bunch of "thinking out loud", if you will.
It looks like the functionality is boiling down to batch vs single certificate revocation.
well.. batch transmission of data, still checking per request to pulp
In either case I prefer standards compliance over non-, so I don't like the custom option.
+1
I guess it's a trade off of how fine-grained, time-wise, we want certificate revocation to be vs. how much do we want to talk over the network.
I think we can live with daily, or perhaps every 6 hours or so.
I like the batch operation (CRL) as it doesn't need to check the status of a certificate with candlepin at the same time as fielding a request from a client. However, depending on how often the revocation list is generated, the information pulp has at any given time for a certificate may be out of date.
If we can keep the time granularity on certificate revocation sufficiently coarse or we're willing to live with sufficiently short periods of time in which we have dated certificate information, I think this solution is the best.
If we cannot, we should move to OCSP.
I am fine with CRL if you guys are. Lemme check with the thumbslug folks.
-- bk
Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list _______________________________________________ candlepin mailing list candlepin@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/candlepin
-James
On 07/21/2011 01:34 PM, James Bowes wrote:
On Thu, Jul 21, 2011 at 11:56:48AM -0400, Bryan Kearney wrote:
James.. thoughts?
-- bk
CRL works for me. now, otoh, thumbslug has to call home to candlepin to get the matching upstream cert for whatever client cert was used, before we can forward the request, so as I think of it, that might just be able to handle the revocation for us. No matching upstream cert response = client cert has been revoke.
If we cache the upstream certs on thumbslug though, we might need the CRL, too. Regardless, CRL sounds good. Less complicated than OCSP ;)
ok.. crl it is. Assume CP will write it out to known location. ts/pulp do the needeful to monitor and reload.
-- bk
candlepin@lists.stg.fedorahosted.org