[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] checking CRL

  • Subject: [Openvpn-users] checking CRL
  • From: Didier Conchaudron <didier@xxxxxxxxxxxxxxx>
  • Date: Thu, 09 Dec 2004 15:46:32 +0100

I all,

I'm planning to use OpenVpn france-wide with several clients/profiles/security policies, so I ask myself how openvpn manage multiples CRL and multiple CA/sub-Ca ....

I read the howto and I conclude that openvpn only check if a client and a server have a certificate signed by the same CA. And that the CRL must be issued by this CA too.

But if openvpn want to get company-wide audiance it will need a different approch.

Here's a typical company PKI tree:

       /           \
       |           |
    SubCA1       SubCA2
       |           |    \
       |           |     |
    client1   server2   client2

CAroot, SubCA1 and SubCA2 all have their own CRL

1) If SubCA2 is revoked by CAroot, does client2 refuse to connect to server2?

2) If client1 is revoked by SubCA1, does server2 refused to allow his connection?

I don't make the critique of openvpn, not at all. But it's just a reflexion of how we can enhance openvpn way to do it.

So, implement OSCP? check CDP(CRL distribution point) by http/ldap ?

Near from 2.0, can we just dream about openvpn 3.0 features ;-)



Openvpn-users mailing list