Re: A little off-topic: Looking for ideas re. CRL Checking and Tomcat
From: Sudsy (bitbucket44_at_hotmail.com)
Date: 08/21/04
- Next message: Paul Lutus: "Re: applet "not found" in IE6"
- Previous message: Michael Borgwardt: "Re: Determine platform with ANT"
- In reply to: ohaya: "A little off-topic: Looking for ideas re. CRL Checking and Tomcat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 20 Aug 2004 19:25:56 -0400
ohaya wrote:
<snip>
> P.S. Since Tomcat uses JSSE, I've been reading through the JSSE docs.
> I'm kind of surprised that so far at least, I have seen very little in
> these docs mentioning CRLs and CRL checking. I guess I would've
> expected that CRL checking would've been a key requirement in any kind
> of software that involves PKI.
It comes down to a question of who is willing to take responsibility
for maintaining a Certificate Revocation List (CRL for those who don't
know the terminology). Should it be the organization which issued the
certificate in the first place? How much server space and bandwidth
are they going to have to allocate to respond to queries? Will the cost
be factored into what you pay to have your certificate signed in the
first place? And what if a mistake is made and a certificate is revoked
by someone other than the owner? Who's going to accept liability when
a major site is knocked out of commission because the certificate has
been maliciously or accidentally added to a CRL? Just take a look at
what's happening in the domain registration arena!
It's a quagmire! That's probably why there's not a lot of attention
given to the issue. Besides which, people and organizations utilizing
the PKI (Public Key Infrastructure) should KNOW how important it is to
keep the private key secure and take appropriate steps, institute
controls, etc. Organizations will typically manage their own CRL when
using PKI to enable remote access to corporate data. As soon as a lap-
top goes missing, the key is administratively revoked.
ps. I prefer a mechanism which requires a password to "unlock" the key
on the remote client. If the client computer goes missing, the key
remains inaccessible. But that's just me being paranoid...
- Next message: Paul Lutus: "Re: applet "not found" in IE6"
- Previous message: Michael Borgwardt: "Re: Determine platform with ANT"
- In reply to: ohaya: "A little off-topic: Looking for ideas re. CRL Checking and Tomcat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
