[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL authentication with WinXP

On Thu, 15 Mar 2007, Ian Alderman wrote:

And one thing that really bothers me with the current SSL implementation
in Condor, is the fact that apparently nowhere there is the use of
Certificates Revocation Lists in order to centrally revoke a certificate
and essentially kick out a compute node from the pool by simply revoking
its certificate..but this is yet another topic :)

This is a good suggestion for the next step with the SSL authentication

CRLs are a hideously broken method of trying to deal with certificates that should no longer be considered valid. It would be much better to implement support for OCSP (*), which is at least a somewhat less broken way of handling things.

That's my 2 cents anyway... :)

(*) http://www.ietf.org/rfc/rfc2560.txt

	-- Bruce

Bruce Beckles,
e-Science Specialist,
University of Cambridge Computing Service.