[Pulp-list] Candlepin and Certificate Revocation

Bryan Kearney bkearney at redhat.com
Wed Jul 20 16:30:59 UTC 2011

Cross posting to pulp and candlepin lists. I apologize in advance.

I am looking at how candlepin needs to communicate certificate 
revocation. The two main consumers I know of for this data are pulp (as 
part of katello) and thumbslug. In both cases, pulp and thumbslug are 
emitting a CDN interface and need to verify if a certificate presented 
to them are accurate.

There are three main options that I have seen. Basic pros and cons 
below. I am looking for feedback from both camps as which they would 
prefer. I would like to agree on one model to limit testing issues.

Certificate Revocation Lists (CRL)
Candlepin generates CRLs which are read by Pulp/Thumbslug. Files are 
regenerated every X hours and need to be refreshed.

(1) Candlepin does this already!
(2) Standards compliant

(1)As the tools are horzontally scaled, we need to design out how
   (1.1) Handle candlepin is on many machines
   (1.2) Handle when pulp/thumbslug is on different machines from candlepin

Online Certificate Status Protocol (OCSP)
An OCSP responder exists which can return a yes/no for certificates.

(1) Standards Compliant
(2) Should solve the cross machine issues

(1) More work for Candlepin
(2) May need to implementing a "mirror list" type solution for finding 

Custom Wire Protocol
Same model as OCSP, but custom protocol.

(1) Should be easier to implement than OCSP
(2) Should resolve the cross machine issues

(1) Same as OCSP

Comments from folks?

-- bk

More information about the Pulp-list mailing list