cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: crl.cacert.org not responding sometimes

From: "Philipp Gühring" <pg AT futureware.at>
To: cacert-sysadm AT lists.cacert.org, "Michael TÃ¤nzer" <michael.taenzer AT cacert.org>, critical-admin AT cacert.org
Subject: Re: crl.cacert.org not responding sometimes
Date: Tue, 22 Oct 2013 00:44:22 +0200

Hi,

My suggestion is to ask some trusted and competent members of the CAcert
community to install and operate crl.cacert.org mirrors.

Some years ago, I envisioned, that we will have a problem with the
bandwidth for the CRLs, so I migrated the CRLs from www.cacert.org to
crl.cacert.org (wherever possible, unfortunately, if I remember the root
certificates still point to www.cacert.org, but I think most of the
bandwidth should have been migrated successfully), and I setup
crl.cacert.org so that it retrieves the crls from www.cacert.org.
(Just imagine the troubles we would have if the crls were still at
www.cacert.org/crls)

The idea was that crl.cacert.org is a virtual machine that can be easily
cloned and setup in other datacenters, and we could easily let the DNS
entries for crl.cacert.org point to several machines (in different
countries), distributing the load between all of them.

Since the CRLs are signed by the signing machine, they can't be
manipulated, the only possible attack for a crl.cacert.org operator I know
is a denial-of-service attack.
So we can distribute the crl.cacert.org service to trusted community members.
My idea was to setup a monitoring system that would irregularly monitor
the crls (from different clients), and to withdraw rogue from DNS
automatically, so that crl.cacert.org could be operated by trusted CAcert
community people.

And by the way, I think that CRLs should be abolished completely. The only
good use-case I have found for them so far is to create statistics on
other CA's.

Another strategy I would suggest is to ask people when they want to revoke
a certificate, whether it's really necessary to revoke it, or not, and
suggest to them not to revoke it unless really needed. And after they
revoked it, present them a donation page, and a statistic that shows how
much bandwidth costs we had lately. (I know, I should have done those
things many years ago)

Best regards,
Philipp Gühring

I developed and used a similar system for Futureware for about 15 years now:
http://www2.futureware.at/artikel/Traffic_Balancing.ps

Re: crl.cacert.org not responding sometimes, (continued)
- Re: crl.cacert.org not responding sometimes, Philipp Gühring, 10/21/2013
  - Re: crl.cacert.org not responding sometimes, Andre Klärner, 10/22/2013
    - Re: crl.cacert.org not responding sometimes, Jan Dittberner, 10/22/2013
    - Re: crl.cacert.org not responding sometimes, Philipp Guehring, 10/22/2013
      - Re: crl.cacert.org not responding sometimes, Andre Klärner, 10/23/2013
        
        Re: crl.cacert.org not responding sometimes, Philipp Gühring, 10/25/2013
        
        Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/25/2013
        
        Re: crl.cacert.org not responding sometimes, Ian G, 10/29/2013
        Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/29/2013