lør, 2002-08-10 kl. 16:30 skrev Chandra Sekhar Suram: > Should the certificate that signs the CRL be the same cert that signs the > end-entity's certificates? Certificate Authorities (CAs) are organized in chains, stemming from the root CA (Verisign, Thawte etc.; even your own, self-constructed Certificate Authority). CAs in the chain are authorized to sign and revoke CAs. Only the CA in the particular chain, or that/those above it, kan revoke a certificate and thus add a certificate to a Certificate Revoke List. CAs that are recognized by other root CAs and are part of the hierarchy can revoke a CA certificate. If your own or anybody elses, CA is not part of a defined chain, it obviously can't revoke a certificate in another, independant, chain. > or Can any other certificate(ie., authorised to do so) can sign the CRL? One doesn't "sign a CRL" one "adds to a CRL." CRLS are propagated within a hierarchy, a chain. > Since we do not know from where we are getting the data for an Ldap > request, some imposter may be sending false data with the same issuer name. Ain't possible. *Try it!* > ie., How can we verify the Ldap response? What ldap response? Do you mean: "How can we verify that a CA is what he says he is?". Well, we tell our systems to do so. Most security-aware SSL software has built-in trusted authorities. Netscape browsers, Openssl, Microsoft browsers, etc. Any CAs besides these need to be added to a list of recognized CAs. Openldap does this, amongst other places, in /etc/ldap.conf. One of those "other places" is ~/ldaprc. If Openldap doesn't recognize a CA through its hard wiring and we don't include the CA location in one or more of these configuration files, then the signed certificate will not be recognized and any connection request wil be summarily refused. Actually, one of the things that I don't understand about Openldap is, that we don't tell it where to look for CRLs. We include CRLs in PKCS#12 bundles, we tell FreeS/WAN where the CRL is - what about Openldap? Hope this helps, Best, Tony -- Tony Earnshaw The usefulness of RTFM is vastly overrated. e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel