A little off-topic: Looking for ideas re. CRL Checking and Tomcat

Discussion in 'Java' started by ohaya, Aug 20, 2004.

  1. ohaya

    ohaya Guest

    Hi,

    I have a standalone Tomcat server that I've configured for both client
    and server SSL authentication. I am aware that most would say that I
    should use Apache and a connector in front of Tomcat, but for a number
    of reasons, I'm being forced to go the standalone Tomcat route (plus the
    site will be very low-traffic).

    As I indicated, I have the client and server authentication working, but
    from what I can tell so far, there doesn't seem to be an inherent way to
    configure Tomcat, which apparently uses JSSE for the SSL features, to do
    CRL checking (i.e., checking whether client certs are in a CRL).

    I have a separate mechanism/method to periodically pull a CRL file onto
    the server where Tomcat is going to be running, but I'm wondering what
    the best approach would be to incorporate CRL checking of the client
    certs, and so I thought that I might post here in the hopes that someone
    might have some ideas.

    I think that I could do something like write code that would initially
    check the client cert against the CRL on local drive and then set a
    session variable (e.g., "authenticated"), and then have code on each
    page to check whether the session variable is set or not, but this seems
    like a kind of brute force approach.

    I'm looking forward to any suggestions.

    Thanks in advance,
    Jim

    P.S. Since Tomcat uses JSSE, I've been reading through the JSSE docs.
    I'm kind of surprised that so far at least, I have seen very little in
    these docs mentioning CRLs and CRL checking. I guess I would've
    expected that CRL checking would've been a key requirement in any kind
    of software that involves PKI.
    ohaya, Aug 20, 2004
    #1
    1. Advertising

  2. ohaya

    Sudsy Guest

    ohaya wrote:
    <snip>
    > P.S. Since Tomcat uses JSSE, I've been reading through the JSSE docs.
    > I'm kind of surprised that so far at least, I have seen very little in
    > these docs mentioning CRLs and CRL checking. I guess I would've
    > expected that CRL checking would've been a key requirement in any kind
    > of software that involves PKI.


    It comes down to a question of who is willing to take responsibility
    for maintaining a Certificate Revocation List (CRL for those who don't
    know the terminology). Should it be the organization which issued the
    certificate in the first place? How much server space and bandwidth
    are they going to have to allocate to respond to queries? Will the cost
    be factored into what you pay to have your certificate signed in the
    first place? And what if a mistake is made and a certificate is revoked
    by someone other than the owner? Who's going to accept liability when
    a major site is knocked out of commission because the certificate has
    been maliciously or accidentally added to a CRL? Just take a look at
    what's happening in the domain registration arena!
    It's a quagmire! That's probably why there's not a lot of attention
    given to the issue. Besides which, people and organizations utilizing
    the PKI (Public Key Infrastructure) should KNOW how important it is to
    keep the private key secure and take appropriate steps, institute
    controls, etc. Organizations will typically manage their own CRL when
    using PKI to enable remote access to corporate data. As soon as a lap-
    top goes missing, the key is administratively revoked.
    ps. I prefer a mechanism which requires a password to "unlock" the key
    on the remote client. If the client computer goes missing, the key
    remains inaccessible. But that's just me being paranoid...
    Sudsy, Aug 21, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martyn Fewtrell

    A little off topic!

    Martyn Fewtrell, Jan 7, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    378
    Michael
    Jan 7, 2004
  2. A little off topic

    , Feb 4, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    338
  3. Claude
    Replies:
    0
    Views:
    337
    Claude
    Mar 7, 2004
  4. pranav
    Replies:
    0
    Views:
    447
    pranav
    Mar 3, 2010
  5. Leeor Chernov

    CRL And C#

    Leeor Chernov, Oct 18, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    412
    Joe Kaplan
    Oct 18, 2006
Loading...

Share This Page