[Pulp-list] Candlepin and Certificate Revocation
Bryan Kearney
bkearney at redhat.com
Wed Jul 20 16:30:59 UTC 2011
Cross posting to pulp and candlepin lists. I apologize in advance.
I am looking at how candlepin needs to communicate certificate
revocation. The two main consumers I know of for this data are pulp (as
part of katello) and thumbslug. In both cases, pulp and thumbslug are
emitting a CDN interface and need to verify if a certificate presented
to them are accurate.
There are three main options that I have seen. Basic pros and cons
below. I am looking for feedback from both camps as which they would
prefer. I would like to agree on one model to limit testing issues.
Certificate Revocation Lists (CRL)
==================================
Candlepin generates CRLs which are read by Pulp/Thumbslug. Files are
regenerated every X hours and need to be refreshed.
Pros:
(1) Candlepin does this already!
(2) Standards compliant
Cons:
(1)As the tools are horzontally scaled, we need to design out how
(1.1) Handle candlepin is on many machines
(1.2) Handle when pulp/thumbslug is on different machines from candlepin
Online Certificate Status Protocol (OCSP)
=========================================
An OCSP responder exists which can return a yes/no for certificates.
Pros:
(1) Standards Compliant
(2) Should solve the cross machine issues
Cons:
(1) More work for Candlepin
(2) May need to implementing a "mirror list" type solution for finding
candlepin
Custom Wire Protocol
====================
Same model as OCSP, but custom protocol.
Pros:
(1) Should be easier to implement than OCSP
(2) Should resolve the cross machine issues
Cons:
(1) Same as OCSP
Comments from folks?
-- bk
More information about the Pulp-list
mailing list