1 / 7

14 th EUGridPMA October 6-8, 2008 Lisbon

This study examines the impact of different CRL update frequencies on the certificate authorities, proposing a harmonized approach to ensure timely and efficient updates.

wadejones
Download Presentation

14 th EUGridPMA October 6-8, 2008 Lisbon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 14th EUGridPMAOctober 6-8, 2008Lisbon

  2. CRL next Update

  3. CRL Facts 1.0 - d1737728 /C=SG/O=Netrust Certificate Authority 1/OU=Netrust CA1 2.0 - 1d879c6c /DC=ch/DC=cern/CN=CERN Trusted Certification Authority 7.0 - 9b59ecad /DC=cz/DC=cesnet-ca/CN=CESNET CA 8.0 - cc800af0 /C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA 10.0 - eebc7717 /C=CH/O=Switch - .../CN=SWITCH Server CA 10.0 - 47d3d1a0 /C=CH/O=Switch - .../CN=SWITCH Personal CA 14.0 - 9b95bbf2 /C=US/O=National Center for S.A./OU=Certificate Authorities/CN=CACL 30.0 - 1691b9ba /C=TR/O=TRGrid/CN=TR-Grid CA ... 30.0 - 2418a3f3 /DC=bg/DC=acad/CN=BG.ACAD CA 31.0 - 55994d72 /C=RU/O=RDIG/CN=Russian Data-Intensive Grid CA 35.0 - 03aa0ecb /C=BE/O=BELNET/OU=BEGrid/CN=BEGridCA/emailAddress=gridca@belnet.be 180.0 - 28a58577 /C=GR/O=HellasGrid/OU=Certification A.../CN=HellasGrid Root CA 2006 180.5 - d254cc30 /DC=ch/DC=cern/CN=CERN Root CA ... 365.0 - 566bf40f /C=EE/O=Grid/CN=Estonian Grid Certification Authority 366.0 - cf4ba8c8 /C=FR/O=CNRS/CN=CNRS ... 548.0 - d0b701c0 /C=CH/O=Switch - .../CN=SWITCHgrid Root CA 731.0 - 98ef0ee5 /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root

  4. Classic Profile • Validity between 7 and 30 days • 7 day CRLs implies continuous issuance

  5. SLCS Profile • Validity between 3 days and ∞

  6. Issues seen • Netrust CRL of 1 day triggers many warnings • PMA warnings of actual invalidity are common • Unavailability fo CRL is on average 20% at any time • The CERN TCA CRL of 2 days hardly causes any actual problems • A warning once every few months • The CESNET CRL of 7 days causes no problems • Manual 30 day CRLs give incidental problems

  7. Proposal • Harmonize period between SLCS and Classic AP • at least 3 days before expiration • Only for on-line auto-generated CRLs • Manually generated CRLs and CRLs for off-line CAs stay at 7 days • Max life time for Classis AP stays at 30 days for issuing CAs

More Related