[Freeipa-devel] Checking OCSP and CRL during certificate login

[Pavel Vomacka]

Hello,

With the recent addition of certificate mapping and certificate login 
support into WebUI, we need to handle also revoking of certificates 
which are used for login. There is ticket which requests this 
functionality: https://pagure.io/freeipa/issue/6370

We (me, David and Jan) are thinking about how to achieve this and the 
way we found is following: We mark the server cert in HTTP NSS DB as 
trusted peer ('P,,') to avoid chicken and egg problem when we will need 
to contact the OCSP responder when httpd is starting. And then set 
NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside 
of OCSP is that when OCSP responder is not reachable, then the 
certificate cannot be checked and login is not allowed. Should we 
document it, or is that acceptable behavior? Is it OK to just fail?

Another thing is checking CRL. The main issue here is that we don't have 
mechanism which would fetch CRL periodically from the source and 
therefore the CRL would has to be updated manually. Therefore I would go 
only with OCSP now.

Do you think that this make sense? Comments and suggestions are more 
than welcome.

-- 
Pavel^3 Vomacka