[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] Candlepin and Certificate Revocation



On 07/21/2011 11:24 AM, Jason L Connor wrote:
Disclaimer: I haven't done any work with Candlepin integration or even
our certificate based authorization. So this email is going to be a
bunch of "thinking out loud", if you will.

It looks like the functionality is boiling down to batch vs single
certificate revocation.

well..  batch transmission of data, still checking per request to pulp


In either case I prefer standards compliance over non-, so I don't like
the custom option.


+1

I guess it's a trade off of how fine-grained, time-wise, we want
certificate revocation to be vs. how much do we want to talk over the
network.

I think we can live with daily, or perhaps every 6 hours or so.


I like the batch operation (CRL) as it doesn't need to check the status
of a certificate with candlepin at the same time as fielding a request
from a client. However, depending on how often the revocation list is
generated, the information pulp has at any given time for a certificate
may be out of date.

If we can keep the time granularity on certificate revocation
sufficiently coarse or we're willing to live with sufficiently short
periods of time in which we have dated certificate information, I think
this solution is the best.

If we cannot, we should move to OCSP.

I am fine with CRL if you guys are. Lemme check with the thumbslug folks.

-- bk


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]