search

zhuzengpeng / jscep

Automatically exported from code.google.com/p/jscep
MIT License
0 stars 0 forks source link

Usage of the SCEP GetCRL message should be more flexible #47

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I can think of 3 different scenarios on how CRLs *could* be used (I'm not sure 
if these cases are valid or not):

1) A SCEP client wants to check to see if his own certificate that has
already been issued has not been revoked.  Perhaps to know if/when to
re-enroll, or just to become aware of his own state.
2) A SCEP client wants to check that the SCEP server's certificate has
not been revoked. Perhaps this is done before enrollment as part of a
verification that the client is talking to a valid SCEP server.
Perhaps this is done some time after enrollment to check if the client
certificate is still valid.
3) A server wishing to validate a client with a SCEP-issued
certificate wants to check with the SCEP server that the client's
certificate has not been revoked, i. e. obtain the SCEP server's CRL.
This could be done using a CRL distribution point baked into the
client certificate, which would be the SCEP server's GetCRL URL.

The jSCEP client (Client.java) getRevocationList() method retrieves
the SCEP server's certificate and provides the issuer name and serial
number of that certificate with it's request for the CRL.  That seems
to line up most with scenario #2 above.  The jSCEP client doesn't support the 
other use cases above.

Discussion here: http://groups.google.com/group/jscep-support/t/61b7151e9f323137

Original issue reported on code.google.com by dfpome...@gmail.com on 13 Jun 2011 at 5:46

GoogleCodeExporter commented 9 years ago

Original comment by davidgrant41 on 13 Jun 2011 at 6:12

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r1226.

Original comment by davidgrant41 on 13 Jun 2011 at 6:15

GoogleCodeExporter commented 9 years ago

Original comment by da...@grant.org.uk on 13 Jul 2011 at 6:37

GoogleCodeExporter commented 9 years ago

Original comment by da...@grant.org.uk on 13 Jul 2011 at 6:46

GoogleCodeExporter commented 9 years ago

Original comment by da...@grant.org.uk on 21 Aug 2012 at 11:58