|
|
|
SiteMinder can confirm the validity of certificates using either of the following two methods:
A certificate revocation list (CRL) is a list of revoked X.509 client certificates published by the CA to an LDAP user directory. Comparing certificates against CRLs is one method of ensuring that certificates are valid.
Note: The Policy Server can support CRLs greater than 1.7 MB in size.
The OCSP protocol enables OCSP-enabled applications (such as SiteMinder) to determine the (revocation) state of an identified X.509 client certificate in a more timely manner than is possible with CRLs. When a user with such a certificate tries to access a protected resource, SiteMinder issues a status request to an OCSP responder and suspend acceptance of the certificate in question until the responder provides a response.
Certificate Revocation Lists can get large and their propagation can therefore become slow. OCSP checking provides real-time status information and lessens network traffic significantly, but requires access to an OCSP Responder.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |