[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pulp-list] Candlepin and Certificate Revocation

Cross posting to pulp and candlepin lists. I apologize in advance.

I am looking at how candlepin needs to communicate certificate revocation. The two main consumers I know of for this data are pulp (as part of katello) and thumbslug. In both cases, pulp and thumbslug are emitting a CDN interface and need to verify if a certificate presented to them are accurate.

There are three main options that I have seen. Basic pros and cons below. I am looking for feedback from both camps as which they would prefer. I would like to agree on one model to limit testing issues.

Certificate Revocation Lists (CRL)
Candlepin generates CRLs which are read by Pulp/Thumbslug. Files are regenerated every X hours and need to be refreshed.

(1) Candlepin does this already!
(2) Standards compliant

(1)As the tools are horzontally scaled, we need to design out how
  (1.1) Handle candlepin is on many machines
  (1.2) Handle when pulp/thumbslug is on different machines from candlepin

Online Certificate Status Protocol (OCSP)
An OCSP responder exists which can return a yes/no for certificates.

(1) Standards Compliant
(2) Should solve the cross machine issues

(1) More work for Candlepin
(2) May need to implementing a "mirror list" type solution for finding candlepin

Custom Wire Protocol
Same model as OCSP, but custom protocol.

(1) Should be easier to implement than OCSP
(2) Should resolve the cross machine issues

(1) Same as OCSP

Comments from folks?

-- bk

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]