Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
On Thu, 15 Mar 2007, Ian Alderman wrote: <snip>
And one thing that really bothers me with the current SSL implementation in Condor, is the fact that apparently nowhere there is the use of Certificates Revocation Lists in order to centrally revoke a certificate and essentially kick out a compute node from the pool by simply revoking its certificate..but this is yet another topic :)This is a good suggestion for the next step with the SSL authentication method.
CRLs are a hideously broken method of trying to deal with certificates that should no longer be considered valid. It would be much better to implement support for OCSP (*), which is at least a somewhat less broken way of handling things.
That's my 2 cents anyway... :) (*) http://www.ietf.org/rfc/rfc2560.txt -- Bruce -- Bruce Beckles, e-Science Specialist, University of Cambridge Computing Service.