[Pulp-list] Candlepin and Certificate Revocation

[Bryan Kearney]

Any comments from the pulp or thumbslug folks?

-- bk

On 07/20/2011 12:30 PM, Bryan Kearney wrote:
> Cross posting to pulp and candlepin lists. I apologize in advance.
>
> I am looking at how candlepin needs to communicate certificate
> revocation. The two main consumers I know of for this data are pulp (as
> part of katello) and thumbslug. In both cases, pulp and thumbslug are
> emitting a CDN interface and need to verify if a certificate presented
> to them are accurate.
>
> There are three main options that I have seen. Basic pros and cons
> below. I am looking for feedback from both camps as which they would
> prefer. I would like to agree on one model to limit testing issues.
>
>
> Certificate Revocation Lists (CRL)
> ==================================
> Candlepin generates CRLs which are read by Pulp/Thumbslug. Files are
> regenerated every X hours and need to be refreshed.
>
> Pros:
> (1) Candlepin does this already!
> (2) Standards compliant
>
> Cons:
> (1)As the tools are horzontally scaled, we need to design out how
> (1.1) Handle candlepin is on many machines
> (1.2) Handle when pulp/thumbslug is on different machines from candlepin
>
>
>
> Online Certificate Status Protocol (OCSP)
> =========================================
> An OCSP responder exists which can return a yes/no for certificates.
>
> Pros:
> (1) Standards Compliant
> (2) Should solve the cross machine issues
>
> Cons:
> (1) More work for Candlepin
> (2) May need to implementing a "mirror list" type solution for finding
> candlepin
>
>
>
> Custom Wire Protocol
> ====================
> Same model as OCSP, but custom protocol.
>
> Pros:
> (1) Should be easier to implement than OCSP
> (2) Should resolve the cross machine issues
>
> Cons:
> (1) Same as OCSP
>
>
> Comments from folks?
>
> -- bk
>
>
>
>
>
>