[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] Candlepin and Certificate Revocation



Any comments from the pulp or thumbslug folks?

-- bk

On 07/20/2011 12:30 PM, Bryan Kearney wrote:
Cross posting to pulp and candlepin lists. I apologize in advance.

I am looking at how candlepin needs to communicate certificate
revocation. The two main consumers I know of for this data are pulp (as
part of katello) and thumbslug. In both cases, pulp and thumbslug are
emitting a CDN interface and need to verify if a certificate presented
to them are accurate.

There are three main options that I have seen. Basic pros and cons
below. I am looking for feedback from both camps as which they would
prefer. I would like to agree on one model to limit testing issues.


Certificate Revocation Lists (CRL)
==================================
Candlepin generates CRLs which are read by Pulp/Thumbslug. Files are
regenerated every X hours and need to be refreshed.

Pros:
(1) Candlepin does this already!
(2) Standards compliant

Cons:
(1)As the tools are horzontally scaled, we need to design out how
(1.1) Handle candlepin is on many machines
(1.2) Handle when pulp/thumbslug is on different machines from candlepin



Online Certificate Status Protocol (OCSP)
=========================================
An OCSP responder exists which can return a yes/no for certificates.

Pros:
(1) Standards Compliant
(2) Should solve the cross machine issues

Cons:
(1) More work for Candlepin
(2) May need to implementing a "mirror list" type solution for finding
candlepin



Custom Wire Protocol
====================
Same model as OCSP, but custom protocol.

Pros:
(1) Should be easier to implement than OCSP
(2) Should resolve the cross machine issues

Cons:
(1) Same as OCSP


Comments from folks?

-- bk








[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]