Monthly Archives: October 2013

CAcert Assurances at LISA conference, Washington, DC, USA 05 November 2013

Leave a reply

The 27th Large Installation System Administration conference (aka. Lisa 2013) will be meeting Nov 3-8 in Washington, DC, USA. We have held a CAcert Birds-of-a-Feather (BoF) session at several of these. The CAcert Assurance BoF at LISA 13 will be Tuesday evening November 5th. This session is open to the public. Full details are posted on the event page on the CACert Wiki:

http://wiki.cacert.org/events/2013-11-05-LISA13

We will start with a presentation to cover the basics. We will also discuss the new TTP Assurance process. We will have several assurers there to do initial assurances. Mutual assurances are encouraged for getting practice and for answering questions. And there is the added benefit of earning experience points.

If you are in town for the conference or you live in the area, please join us to learn more about free digitial certificates available through CAcert.org.

Efficient method for frequent retrieval of CRLs

Leave a reply

Preferred protocol: OCSP

To verify the validity of a certificate issued by CAcert, the recommended method is to consult the OCSP responder running at ocsp.cacert.org. Many software packages have integrated support for the OCSP protocol, which is quite efficient in two ways:

  • very little data needs to be exchanged between client and server
  • the answer is always up-to-date because the server has the most recent Certificate Revocation List (CRL) on hand

Fall-back method: CRL

However, sometimes older software versions may lack working support for the OCSP protocol. But they often do have the ability to verify a given certificate against the Certificate Revocation List (CRL) published by the certificate issuer (CAcert in our case). For this to work, the client software requires a fairly recent copy of the CRL. Traditionally, such a copy can be obtained by an HTTP request for http://crl.cacert.org/revoke.crl and/or http://crl.cacert.org/class3-revoke.crl. Doing this regularly causes a lot of network traffic because the CRLs are quite large: revoke.crl is currently 5.6 MB, while class3-revoke.crl is 0.6 MB.

Improved fallback method: RSYNC

As of today a much more efficient method is available for maintaining a reasonably up-to-date local copy of the CAcert CRLs: the rsync protocol. After the initial retrieval of the full CRL, subsequent updates are orders of magnitude faster because only the small differences with the previous version need to be transmitted. The service can be used like this:

Initial setup:

$ mkdir crl-dir
$ rsync -avz crl.cacert.org::crl crl-dir

Regular update (e.g. via cron):

$ rsync -avz crl.cacert.org::crl crl-dir

Recommendation

Only if you cannot use OCSP and  really do need local up-to-date copies of CAcert’s CRLs, please consider the use of the rsync method outlined above. By saving bandwidth use on the crl.cacert.org server everybody benefits from better response times. Your cooperation is appreciated!