Dear ChuHo,
Thanks for your help.
Again, thanks a lot.
Rgds, Franklin
From: chuho@my.netvigator.com To: openldap-general@OpenLDAP.org Subject: Re: CRL Distribution Mechanism Evaluation and Considerations Date: Mon, 06 Dec 1999 15:28:37 +0800
Dear Franklin,
Two points:
1. Your x-ref addresses are incorrect. Both links should be ended with htm instead of html, i.e.,
> By Phillip Hallum-Baker http://csrc.nist.gov/pki/twg/papers/hallum-baker.htm
> By Mike Myers http://csrc.nist.gov/pki/twg/twg98_6.htm
2. I believe that Thawte supports HTTPS; yet no idea if they support LDAP over SSL.
Thanks and hope it helps.
>From: "Franklin Lee" <franklinlee@hotmail.com> >To: michael.stroeder@inka.de, openldap-general@OpenLDAP.org >Subject: Re: CRL Distribution Mechanism Evaluation and Considerations >Date: Mon, 06 Dec 1999 01:56:52 GMT > >Thanks a lot for Michael's prompt response. > >Actually, I'm a student in the Mainland China having a reserach on >the "Digital Certificate" applications and limitations --- >e-commerce and cryptograhpy are still relatively new to our region. > >Regarding the CRL distribution mechanism, I have found few topics >yet there are of 98 versions: > >a) Phillip Hallum-Baker >http://csrc.nist.gov/pki/twg/papers/hallum-baker.html > >b) Mike Myers >http://csrc.nist.gov/pki/twg/twg98_6.html > >Therefore, would be greatly appreciated for the comments and advice >for the knowledge leads. > >Again, thanks a lot. > >Rgds, >Franklin > >>From: Michael Ströder <michael.stroeder@inka.de> >>To: openldap-general@OpenLDAP.org >>Subject: Re: CRL Distribution Mechanism Evaluation and >>Considerations >>Date: Sun, 05 Dec 1999 18:46:52 +0100 >> >>Franklin Lee wrote: >> > >> > I'm interested in all experts' views on evaulating the >>distribution of >> > the CRL(Certificate Revocation List) using LADP over SSL instead >>of the >> > other >> > mechanisms, e.g., HTTPS (HTTP over SSL) regarding the different >>aspects, >> > for example, >> >>You don't have to secure the transport of CRLs with e.g. SSL >>because the CRL >>1. contains public data (serial numbers of revoked certs). >>2. is also a certificate issued by the CA => non repudiation is >>already >>garanteed by the CA's signature. >> >> > - what are the key considerations (e.g, performance, >>infrastructure) for >> > choosing either protocol? >> >>The key consideration is the client's software. The client has to >>be >>capable to retrieve the CRL. In my case I'm providing the >>certificates >>and CRLs through HTTP and LDAP. But I put the HTTP-URL as CRL >>distribution point in the certificates itself because most >>certificate >>using client software has support for HTTP but not for LDAP. >> >>But the main problem is how to motivate the client to retrieve an >>initial or a new CRL? Most times this is done by the client >>software by >>not allowing certificate usage if the CRL is expired. Unfortunately >>most >>client software does not support the user very well understanding >>CRLs. >>E.g. Netscape Communicator mentions that it "cannot connect to >>secure >>server" if you want to encrypt an e-mail with an e-mail certificate >>for >>which the CRL is expired. :-( >> >>Ciao, Michael. >> >>P.S.: The mailing-list openssl-users@openssl.org might be a better >>discussion forum for this question. > >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Attachment:
LDAP_HTTPS1.xls
Description: Binary data