Yes, this we use as well. Using LDAP for the authentication, including certs, allows to forget the CRL-stuff, if you need it for authentication on a server or portal. And, compared to CRLs, it is much more real time.
Am 2002-11-25 7:53 Uhr schrieb "Jimi Thompson" unter <[EMAIL PROTECTED]>: ... > Indeed - a fact that never fails to astound me. We were looking at buying a > reverse-proxy that would allow us to make available some of our internal Web > apps from the Internet, which the requirement that a valid SSL client cert > be presented first. In order to control which client certs were valid, we > have to relying on CRL so that we can (e.g.) revoke a client cert when > someone's laptop is stolen. > > *NONE* of the commercial offerings we looked at supported CRLs... > > I can't believe they could claim to support HTTPS and especially client > certs without also supporting CRL. But they are still plugging their > products... > > Jason, > > There is actually a somewhat unwieldly work around for this using an > extended LDAP schema. It goes something like this. Use LDAP > authentication but extend the LDAP schema to include the certificate. If > the authentication request doesn't match the cert in the schema, you don't > get to play. It's the closest I've been able to come to actually getting a > working CRL. I agree that it is ridiculous that the commercial products > don't perform better, but we live in a world where people run Windows > firewalls. Consumers are willing to accept crap. What can I say.... > > My best advice is to cook up your own home grown solution and then complain > loudly to everyone who will listen. The mailing list you will likely want > to join and do your carping on is [EMAIL PROTECTED] Work is in progress on > the "new and improved" PKI standard. Become part of the solution. > > HTH, > > Jimi > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- ************************************************************************ Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] ************************************************************************ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
