On Sun, Nov 24, 2002 at 09:29:09PM -0800, Jimi Thompson wrote: > It is also interesting to note that for practical purposes Certificate > Revocation Lists are invalid. While they do exist and are part of the > standard, very few applications are written to take advantage of them. Once > a certificate is issued, it is "good" until its expiration date, if one was > set.
Indeed - a fact that never fails to astound me. We were looking at buying a reverse-proxy that would allow us to make available some of our internal Web apps from the Internet, which the requirement that a valid SSL client cert be presented first. In order to control which client certs were valid, we have to relying on CRL so that we can (e.g.) revoke a client cert when someone's laptop is stolen. *NONE* of the commercial offerings we looked at supported CRLs... I can't believe they could claim to support HTTPS and especially client certs without also supporting CRL. But they are still plugging their products... After that, we decided Apache was our friend :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
