CAcert System Admins discussion list

[Jan Dittberner <jandd AT cacert.org>]

On Tue, Oct 22, 2013 at 02:11:09AM +0200, Andre Klärner wrote:
> Hi Philipp,
> 
> On Tue 22.10.2013 00:44:22, Philipp Gühring wrote:
> > My suggestion is to ask some trusted and competent members of the CAcert
> > community to install and operate crl.cacert.org mirrors.
> > 
> > Some years ago, I envisioned, that we will have a problem with the
> > bandwidth for the CRLs, so I migrated the CRLs from www.cacert.org to
> 
> I already thought, that someone envisioned something clever like this.
> 
> My idea would be to setup crl.cacert.org and www.cacert.org/crl so that
> they 301 reroute to appropriate mirrors, which than can also be two
> files hosted at any willing site.

I'm not sure whether existing CRL consumers will follow HTTP redirects
properly, I think a DNS round robin solution as proposed by Philipp is the
approach with a better compatibility (and yes I would like to get rid of
CRLs better sooner than later too).

> The idea is quite easily copied from http.debian.net created by Raphael
> Geissert. Maybe it would work out build a more minimalistic implementation
> of it's idea for our purpose.

http.debian.net is for apt-get/aptitude which respect HTTP redirects, there
is a much larger variance of possible CRL consumers.

> I for my part would be happy to host a bit (5-10GB) of the crl-traffic on
> my servers.

Me too.


Best regards
Jan

-- 
Jan Dittberner - CAcert Infrastructure Team
Software Architect, Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://www.dittberner.info/

Attachment: smime.p7s
Description: S/MIME cryptographic signature