[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: [EXTERNAL]  Re: Certificate revocation status checking
From:       Travis Gibson <travis.gibson.c06u () STATEFARM ! COM>
Date:       2020-02-05 18:27:24
Message-ID: 87a95fd3de834441b90b9f0e29ddb4c0 () statefarm ! com
[Download RAW message or body]

We do not have the HTTP server or an LDAP deployed on our Z/os system(s).   We do \
have ICSF.

Managing a HTTP server and a New LDAP on Z/os would be significant work.   I do not \
have any experience in managing either.   I read over the LDAP objectclasses and \
attributes in the setup and it isn't exactly simple.

I thought the CRL would be necessary to support the revocation processes.   How would \
you manage to stop certs that expired without the CRL?

For the modern browsers SAN and CRL extensions are being required.      At minimum it \
would be nice to see RACDCERT to be able to add these extensions.  

-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of Wai Choi
Sent: Tuesday, February 04, 2020 3:05 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: [EXTERNAL] Re: Certificate revocation status checking

Travis,

Are HTTP server, LDAP server and ICSF basic components that people usually 
use? They all come with z/OS. PKI exits are optional. 

You can choose to host PKI Services to provide basic functions or 
implement it fully. Compare with RACDCERT, a basic PKI Services can 
generate certificates with more extensions and can provide CRL even 
without LDAP.

Regards,
Wai 

Wai Choi - RACF/PKI Design and Development




From:   Travis Gibson <travis.gibson.c06u@STATEFARM.COM>
To:     RACF-L@LISTSERV.UGA.EDU
Date:   02/04/2020 10:50 AM
Subject:        Re: [EXTERNAL]  Re: Certificate revocation status checking
Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>



Standing up PKI on Zos requires significant investment in new knowledge 
and support.
- REX CGI or JavaServer Pages (JSP's) in either case they would need to 
have an HTTP server stood up on Z/OS 
- LDAP - for Certificate Revocation List (optionally off platform 
(Linux/windows))
- PKI
- ICSF
- Potential Exits would be involved

If you want notifications then a Mail server would also be needed on Z/OS




-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of 
Wai Choi
Sent: Friday, January 31, 2020 3:43 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: [EXTERNAL] Re: Certificate revocation status checking

Hi all,

I have posted these questions last month. I have received some responses 
sent directly to me. I would like to thank those who have replied. 

From the responses I collected so far:
1) revocation checking is needed for applications running on the non z 
platforms; 
2) commercial CA is needed only for external facing servers

We have received requirement to enhance the RACDCERT generated 
certificates to include multiple domain names in the Subject Alternate 
Name extension. If the certificate is to be validated by the applications 
running on the non z platforms and revocation status is needed to be 
checked, then the RACDCERT generated certificate can not be used even we 
spend the effort to add multiple domain names support.

On the other hand, z/OS PKI Services already supported the generation of 
certificates with multiple domain names AND it is able to generate 
certificates with revocation information, either through Certificate 
Revocation List (CRL) or Online Certificate Status Protocol (OCSP). 

I understand issuing a RACDCERT GENCERTcommand is much simplier than 
setting up a full functioning CA. What simplications will make you 
consider to use z/OS PKI Services for your internal use?

BTW, I made a typo in my previous replies. It should be corporate policy.

Regards,
Wai 

Wai Choi - RACF/PKI Design and Development




From:   Wai Choi <wchoi@US.IBM.COM>
To:     RACF-L@LISTSERV.UGA.EDU
Date:   12/10/2019 02:38 PM
Subject:        [EXTERNAL] Certificate revocation status checking
Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>



Hi all,

I believe most of the applications you use today are using digital 
certificates. Would you share the answers for the following questions:

1) Do your applications need to check the revocation status of the 
certificate? What is the percentage on those that require the checking vs 
those that don't?

2) Does your company policy require ALL certificates to be issued by a 
commercial CA? If not, how do you get them?

Thanks in advance for providing me the information.

Regards,
Wai 

Wai Choi - RACF/PKI Design and Development


[prev in list] [next in list] [prev in thread] [next in thread]