GS> So, I'm working with an EAP-TLS system running under freeradius. GS> I've setup things to use a CRL [not OSCP] to revoke certificates and GS> all works well.
GS> However, the parameter default_crl_days=XXX puzzles me. GS> Through trial and error [mostly error] I know that if I don't GS> regenerate the CTL every default_crl_days, the CRL expires and then GS> freeradius won't auth anything at all. GS> So, I thought - why should I set the default_crl_days to some low GS> number. I assume that it [the CRL] can be replaced with a "new" CRL, GS> should we need one, long before the default_crl_days limit is reached. GS> Is that correct? GS> So, if that's the case, what would be the downside of making the GS> default_crl_days equal to the validity of the CA itself, for example? GS> [e.g. If the CA cert is valid for 100 years, why not set the GS> default_crl_days to 36500+/- days too?] GS> I assume there's some other use, other than EAP-TLS, where doing this GS> might be a bad plan, but I'm afraid I can't think of one in the GS> EAP-TLS context with FreeRadius. Am I missing something? GS> [And I'd be glad to be pointed to another context, if there is one, GS> where setting a very long-ish default_crl_days would be bad - even if GS> it's fine in the setting I'm discussing. Knowing would be good GS> education.] GS> TIA GS> -Greg === Anyone care to respond to this query? I've done some looking, but I really can't find any guidance... Again, TIA for any light you can shed on the question! -Greg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
