1

If I have a network of machines inside a company that use certificates for various services. All of these services and machines are internal and never have to deal with public facing technologies or be exposed to the public. In such a scenario, I am trying to understand the best way to go about revoking certificates. The code using these certificates and hence the CRLs are also home grown.

Is there an argument to use CRL and OCSP as specified in the standard? For example I don't need to know why the cert is revoked. All I care is a yes or no. Are there any reasons to not simplify and there by reduce the size of the CRL by doing something custom?

SFlow
  • 273
  • 1
  • 2
  • 7
  • Is there a trusted Root CA and/or Issuing CA distributing client certificates or are they all self-signed certificates? – user2320464 Apr 04 '19 at 00:02
  • 1
    *"Is there an argument to use CRL and OCSP as specified in the standard?"* - how about: making use of existing implementations and relying on existing designs? What do you think is the chance that a) you mess up your own proprietary design and implementation vs b) many others mess up their common understanding of what should be done and how to do it? In other words: unless there is a real need to design and build your own security critical solution you'd better rely on existing designs and implementations. – Steffen Ullrich Apr 04 '19 at 04:51
  • I understand that. I was asking purely from a security point of view. I understand that implementation and code is a big portion of security for a system. But can we ignore the points you raised with the understanding that they weigh majorly in my thought process? – SFlow Apr 04 '19 at 16:46
  • Rolling your own PKI is just like [rolling your own crypto](https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own), don't do it. – user2320464 Apr 05 '19 at 15:35
  • There are many facets of "security" (eg risk, CIA, etc.) which all contribute to the decision making process. What aspect of "security" is of concern? Your question is very broad and would greatly benefit from having more details. – user2320464 Apr 05 '19 at 15:37

0 Answers0