|
|
James already pointed out the ccd-exclusive approach, but I'd like to share the one I use: On Tue, 03 May 2005 17:20:10 +0100, Roland Turner (SourceForge) wrote: > My concern about the use of the CRL is that I'd prefer to allow access > on a prohibited-unless-permitted basis rather than a > permitted-unless-prohibited basis not only because that is good > practice, but because of the risk of someone forgetting to add the CN of > a departing user to the CRL (combined with the difficulty of having a > subsequent audit pick this up; a difficulty that does not arise if a > list of all permitted users is present). The approach I use is as such: My CA keeps a list of all unrevoked users (actually, it keeps the certificates for all unrevoked users in a version-controlled repository). Whenever a user is revoked, their certificate is deleted from the repository (though if it were ever needed for some reason, it could be pulled out of version control). This way it's possible to get a current list of unrevoked users, a history of who was created or revoked at any given time, and such. BTW, I really, really am going to share these scripts someday. They were written for our deployment department, which has some rather specific needs, but IT is getting ready to generalize them for their own use; when that's done, they should be releasable. ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-05/msg00031.html on line 204 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-05/msg00031.html on line 204 |