1

When distributing a CRL over HTTP, what is the optimal cache and max age settings (etc) for this distribution mechanism?

Related information on a different answer

  • Consider using HTTP instead of LDAP- Although AD DS enables publication of CRLs to all domain controllers in the forest, implement HTTP instead of LDAP for revocation information publication. Only HTTP enables the use of the ETag and Cache-Control: Max-age headers providing better support for proxies and more timely revocation information. In addition, HTTP provides better heterogeneous support as HTTP is supported by most Linux, UNIX, and network device clients.

  • Another reason to not use LDAP is because the revocation window to be smaller. When using AD LDAP to replicate CA information, the revocation window couldn't be less than the time for all sites in AD to get the CA update. Oftentimes this replication could take up to 8 hours... that is 8 hours until a smartcard user's access is revoked. 'Todo: the new recommended CRL refresh time is: ?????`

...

OCSP Cache duration

All OCSP actions occur over the HTTP protocol and therefore are subject to typical HTTP proxy cache rules.

Specifically the Max-age header defines the maximum time that a proxy server or client will cache a CRL or OCSP response before using a conditional GET to determine whether the object has changed. Use this information to configure the web server to set the appropriate headers. Look elsewhere on this page for AD-IIS specific commands for this.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536

1 Answers1

2

I'm afraid the answer will be "it depends". How many simultaneous requests can your server(s) handle? How important is it to your organization that information about a revoked certificate be propagated quickly?

If you put the Max-age setting too high, a revoked certificate will still be able to connect for up to the max-age setting. If you put it too low, you risk having too many clients connecting at once, bringing your CRL servers to a halt. Which of these factors is the most important one depends on the priorities of your organization.

If you e.g. have a requirement for a certificate revocation to propagate within 5 minutes, you need to make sure that your CRL servers can handle the load of every single client sending a request every 5 minutes - which means stress-testing the server with maybe thrice that load to be sure that it will be able to handle unusual circumstances. If your servers can't handle that load, you will need to either increase computer power, or accept that you can't propagate the CRLs that fast.

Jenny D
  • 1,197
  • 9
  • 18