[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: Greg Carter <greg.carter@entrust.com>
Subject: Re: New XAUTH draft
From: Bronislav Kavsan <bkavsan@ire-ma.com>
Date: Fri, 21 May 1999 10:27:14 -0400
CC: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
References: <01E1D01C12D7D211AFC70090273D20B1B8F77D@sothmxs06.entrust.com>
Sender: owner-ipsec@lists.tislabs.com

Greg,

I understand how CRLs and Distribution Points work - the word "push" that I used
- came from your e-mail and I quote:

    "If you configure your box to check CRLs at each auth AND your CA is
    intelligent enough to push new CRLs each time a cert is revoked "

So I decided to play along using your term "push"

Also, I am sure if I understand your notion about few smaller CLRs versa one big
CRL. If I retrieve only few CRLs - am I volnurable to mis-authentication of  a
revoked certificate that I don't have CRL for? I also understand what will
happened in 1 year - but it is not a valid point though - I still have to build
my IPSec device for the "mother's day" (as they say in AT&T)

Greg Carter wrote:

> > ----------
> > From:         Bronislav Kavsan[SMTP:bkavsan@ire-ma.com]
> > Sent:         Friday, May 21, 1999 7:35 AM
> > To:   Greg Carter
> > Cc:   'ipsec@lists.tislabs.com'
> > Subject:      Re: New XAUTH draft
> >
> > Greg,
> >
> > Example: Mobile Corp. decides to layof f 10,000 workers who have
> > certificates
> > with expiration date 1 year from now.
> > In this scenario - Mobile CA will push 10,000-entries CRL files to all
> > IPSec
> > devices for a year -  I hope these devices have enough memory and bandwith
> > to
> > receve these files !!
> >
> Hi Bronislav,
> You misunderstand PKI wrt to CRLs.  CA's don't push CRLs to all devices,
> devices query the directory for the appropriate CRL.  As well with CRL
> distribution points the "mega CRL" syndrome you describe goes away.  Instead
> of one huge CRL which contains all those 10 000 revoked users, you have many
> smaller CRLs, each containing a few revoked devices.  So out of those 10000
> users you'll only ever retrieve CRLs for a few of them.  Then in a year you
> don't have to retrieve ANY since the cert has expired.
>
> > RADIUS on the other hand - simply removes these entries from the database
> > - and
> > they all revoked.
> >
> Hmm, and what happens when one of the 10000 users dial into the NAS, the NAS
> still has to format a RADIUS request and send it off to the RADIUS server,
> which will probably query a backend database of some sort, and this happens
> indefinitely, where as with certificates there is no need to make an
> additional query if the certificate has expired.
>
> Bye.

--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-739-2384
http://www.ire.com

References:

RE: New XAUTH draft

From: Greg Carter <greg.carter@entrust.com>

Prev by Date: RE: New XAUTH draft
Next by Date: RE: New XAUTH draft
Prev by thread: RE: New XAUTH draft
Next by thread: RE: New XAUTH draft
Index(es):
- Main
- Thread