From: Massimiliano P. <pa...@cs...> - 2007-12-04 18:22:18
|
Ciao Alex, my concerns about publishing CRLs over HTTPS are based on the fact that if you do that, the OCSPD will probably have no problems, but other apps will - as that URL (HTTPS) will be used by many other apps besides the OCSP, it is wise to consider it carefully before doing so :D About the cURL, I will definitely consider it. Actually I already implemented a URL-based retrieval interface in LibPKI... but, at the moment, it lacks some protocols, e.g. HTTPs, FTP, FTPs, Email (which can all be useful for different purposes to the average programmer, not only for the OCSPD). I will look into it and see if we can add its support to LibPKI... it has a lot of other dependecies, though.. :) Later, Max Alex Agranov wrote: > Hi Max, > > I realize that HTTP may be "just enough" for CRL publishing. But LDAP > and HTTPS are valid options too. And there are quite a few products that > support both. > > The "revocation loop" that you refer to in your previous mail, in fact > may be a problem for certain client applications, but it's hardly an > issue for OCSP daemon itself. > > As for your concern on portability - cURL library is highly portable > (it's available for Linux, Solaris, FreeBSD, OS/2, MacOS, AIX and even > Windows - check http://curl.haxx.se/download.html). It greatly > simplifies your application code and is actively maintained. Another > advantage of using it - it gives you full support of all HTTP features > (e.g. authentication) as well as support for other protocols - e.g. FTP > and FTPS. You may also use it for LDAP and LDAPS support (instead of > directly interfacing OpenLDAP API) - though this is completely up to > you. -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] pa...@cs... pro...@op... Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179 --o------------------------------------------------------------------------ |