[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft

To: Greg Carter <greg.carter@entrust.com>, "'Bronislav Kavsan'" <bkavsan@ire-ma.com>
Subject: RE: New XAUTH draft
From: Greg Carter <greg.carter@entrust.com>
Date: Fri, 21 May 1999 10:58:13 -0400
Cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

> ----------
> From: 	Bronislav Kavsan[SMTP:bkavsan@ire-ma.com]
> Sent: 	Friday, May 21, 1999 10:27 AM
> To: 	Greg Carter
> Cc: 	'ipsec@lists.tislabs.com'
> Subject: 	Re: New XAUTH draft
> 
> Greg,
> 
>     "If you configure your box to check CRLs at each auth AND your CA is
>     intelligent enough to push new CRLs each time a cert is revoked "
> 
> So I decided to play along using your term "push"
> 
Sorry, here I meant the CA 'push' the CRL to the directory, clients still
only grab it when they need it.

> Also, I am sure if I understand your notion about few smaller CLRs versa
> one big
> CRL. If I retrieve only few CRLs - am I volnurable to mis-authentication
> of  a
> revoked certificate that I don't have CRL for?
> 
No, each cert has a crl distribution point extension in it, which names the
CRL (and the location) it would be on if it were revoked, each CRL has a
corresponding issuing distribution point.  When you validate the cert you
retrieve the crl, if its not in your local cache you go to the directory at
the specified location, after retrieving the CRL you verify that its issuing
distribution point is the same.  Since both the cert and crl are signed by a
CA you trust you know you have the right CRL for this certificate.

>  I also understand what will
> happened in 1 year - but it is not a valid point though - I still have to
> build
> my IPSec device for the "mother's day" (as they say in AT&T)
> 
In one year each of those 10000 users have 10000 expired certs, no need to
query for crls.  If you mean within that one year, again with CRLs and
caching you have less queries to make.  With RADIUS you always have to query
since each RADIUS request is for one user, and there are no server response
"validity periods" for denied auths.  With CRLs each CRL is appropriate for
X users.  It would seem to me that a good "mother's day" design would take
advantage of CRL lifetimes and when under heavy load allow caching of CRLs
for their validity period, which would help alleviate the network traffic
and delay caused by the queries.

Bye.  See you in Santa Barbara

Prev by Date: Re: New XAUTH draft
Next by Date: Re: ICMP in IPSec
Prev by thread: RE: New XAUTH draft
Next by thread: Weak Crypto in Phase 1
Index(es):
- Main
- Thread