[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pulp-list] Candlepin and Certificate Revocation



Cross posting to pulp and candlepin lists. I apologize in advance.

I am looking at how candlepin needs to communicate certificate revocation. The two main consumers I know of for this data are pulp (as part of katello) and thumbslug. In both cases, pulp and thumbslug are emitting a CDN interface and need to verify if a certificate presented to them are accurate.

There are three main options that I have seen. Basic pros and cons below. I am looking for feedback from both camps as which they would prefer. I would like to agree on one model to limit testing issues.


Certificate Revocation Lists (CRL)
==================================
Candlepin generates CRLs which are read by Pulp/Thumbslug. Files are regenerated every X hours and need to be refreshed.

Pros:
(1) Candlepin does this already!
(2) Standards compliant

Cons:
(1)As the tools are horzontally scaled, we need to design out how
  (1.1) Handle candlepin is on many machines
  (1.2) Handle when pulp/thumbslug is on different machines from candlepin



Online Certificate Status Protocol (OCSP)
=========================================
An OCSP responder exists which can return a yes/no for certificates.

Pros:
(1) Standards Compliant
(2) Should solve the cross machine issues

Cons:
(1) More work for Candlepin
(2) May need to implementing a "mirror list" type solution for finding candlepin



Custom Wire Protocol
====================
Same model as OCSP, but custom protocol.

Pros:
(1) Should be easier to implement than OCSP
(2) Should resolve the cross machine issues

Cons:
(1) Same as OCSP


Comments from folks?

-- bk







[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]