[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRLs



At 05:47 PM 10/26/99 -0400, Greg Carter wrote:
>So don't send it unless asked, if asked the above covers how. If they ask
>then they can process, so there shouldn't be interop problems.  If they ask
>and you can't produce then you have a problem, if you can't produce because
>you don't support CRLs than that is your problem.

This sounds right to me. We should add it to the draft as we add discussion 
about certificate requests and responses.

>  If you only support OCSP
>as a gateway and the OCSP server is behind your gateway your SOL.

Maybe. We could extend the DOI slightly to allow the request of an OCSP 
response. Until we do that, however, you're right.

>So I think gateways should be prepared to respond with a CRL.  Its a very
>convenient method of transporting CRLs.

Yep.

>Putting the LDAP server behind the gateway is common.

I hadn't heard this, but if that's true, we do need a way to tunnel the 
CRLs and OCSP responses through to the IKE systems.

--Paul Hoffman, Director
--VPN Consortium



References: