[Pulp-list] Candlepin and Certificate Revocation

Bryan Kearney bkearney at redhat.com
Thu Jul 21 15:55:46 UTC 2011


On 07/21/2011 11:24 AM, Jason L Connor wrote:
> Disclaimer: I haven't done any work with Candlepin integration or even
> our certificate based authorization. So this email is going to be a
> bunch of "thinking out loud", if you will.
>
> It looks like the functionality is boiling down to batch vs single
> certificate revocation.

well..  batch transmission of data, still checking per request to pulp

>
> In either case I prefer standards compliance over non-, so I don't like
> the custom option.
>

+1

> I guess it's a trade off of how fine-grained, time-wise, we want
> certificate revocation to be vs. how much do we want to talk over the
> network.

I think we can live with daily, or perhaps every 6 hours or so.

>
> I like the batch operation (CRL) as it doesn't need to check the status
> of a certificate with candlepin at the same time as fielding a request
> from a client. However, depending on how often the revocation list is
> generated, the information pulp has at any given time for a certificate
> may be out of date.
>
> If we can keep the time granularity on certificate revocation
> sufficiently coarse or we're willing to live with sufficiently short
> periods of time in which we have dated certificate information, I think
> this solution is the best.
>
> If we cannot, we should move to OCSP.

I am fine with CRL if you guys are. Lemme check with the thumbslug folks.

-- bk




More information about the Pulp-list mailing list