-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
About revoked certificates #2
Comments
When I mean database I mean caching the results from the CRL as it's huge. I'm totally interested in a MR adding OCSP (I had a look at https://github.com/r509/r509 but didn't go much further yet) but for CRL as a fallback I'm not sure as it's super ineffective or requires caching which would mean much more complicated side effects and integrations.
|
Check revoked certificates with OCSP (#2)
Merged #3 and released |
The readme mentions keeping a database of revoked certificates. Would you instead be interested in a pull request that uses
crlDistributionPoints
CRL and / orauthorityInfoAccess
OCSP to determine if a certificate is revoked? These are available as an array of X509::Certificate.extensions and as far as I am aware any issued certificate by a CA will include these extensions on their certificates and could be used to validate a certificate by performing CRL / OCSP request at the time of validation. Some CRLs can get large 10MB+ so OCSP should probably be preferred when the certificate providesauthorityInfoAccess
.The text was updated successfully, but these errors were encountered: