RE: New XAUTH draft

[Greg Carter <greg.carter@entrust.com>]

> ----------
> From: 	Bronislav Kavsan[SMTP:bkavsan@ire-ma.com]
> Sent: 	Friday, May 21, 1999 7:35 AM
> To: 	Greg Carter
> Cc: 	'ipsec@lists.tislabs.com'
> Subject: 	Re: New XAUTH draft
> 
> Greg,
> 
> Example: Mobile Corp. decides to layof f 10,000 workers who have
> certificates
> with expiration date 1 year from now.
> In this scenario - Mobile CA will push 10,000-entries CRL files to all
> IPSec
> devices for a year -  I hope these devices have enough memory and bandwith
> to
> receve these files !!
> 
Hi Bronislav,
You misunderstand PKI wrt to CRLs.  CA's don't push CRLs to all devices,
devices query the directory for the appropriate CRL.  As well with CRL
distribution points the "mega CRL" syndrome you describe goes away.  Instead
of one huge CRL which contains all those 10 000 revoked users, you have many
smaller CRLs, each containing a few revoked devices.  So out of those 10000
users you'll only ever retrieve CRLs for a few of them.  Then in a year you
don't have to retrieve ANY since the cert has expired.

> RADIUS on the other hand - simply removes these entries from the database
> - and
> they all revoked.
> 
Hmm, and what happens when one of the 10000 users dial into the NAS, the NAS
still has to format a RADIUS request and send it off to the RADIUS server,
which will probably query a backend database of some sort, and this happens
indefinitely, where as with certificates there is no need to make an
additional query if the certificate has expired.

Bye.

---

Follow-Ups:

• Re: New XAUTH draft
• From: Bronislav Kavsan <bkavsan@ire-ma.com>

---

• Prev by Date: RE: New XAUTH draft
• Next by Date: RE: New XAUTH draft
• Prev by thread: RE: New XAUTH draft
• Next by thread: Re: New XAUTH draft
• Index(es):
  • Main
  • Thread