[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: [EXTERNAL] Re: Certificate revocation status checking
From: Travis Gibson <travis.gibson.c06u () STATEFARM ! COM>
Date: 2020-02-05 18:27:24
Message-ID: 87a95fd3de834441b90b9f0e29ddb4c0 () statefarm ! com
[Download RAW message or body]
We do not have the HTTP server or an LDAP deployed on our Z/os system(s). We do \
have ICSF.
Managing a HTTP server and a New LDAP on Z/os would be significant work. I do not \
have any experience in managing either. I read over the LDAP objectclasses and \
attributes in the setup and it isn't exactly simple.
I thought the CRL would be necessary to support the revocation processes. How would \
you manage to stop certs that expired without the CRL?
For the modern browsers SAN and CRL extensions are being required. At minimum it \
would be nice to see RACDCERT to be able to add these extensions.
-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of Wai Choi
Sent: Tuesday, February 04, 2020 3:05 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: [EXTERNAL] Re: Certificate revocation status checking
Travis,
Are HTTP server, LDAP server and ICSF basic components that people usually
use? They all come with z/OS. PKI exits are optional.
You can choose to host PKI Services to provide basic functions or
implement it fully. Compare with RACDCERT, a basic PKI Services can
generate certificates with more extensions and can provide CRL even
without LDAP.
Regards,
Wai
Wai Choi - RACF/PKI Design and Development
From: Travis Gibson <travis.gibson.c06u@STATEFARM.COM>
To: RACF-L@LISTSERV.UGA.EDU
Date: 02/04/2020 10:50 AM
Subject: Re: [EXTERNAL] Re: Certificate revocation status checking
Sent by: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>
Standing up PKI on Zos requires significant investment in new knowledge
and support.
- REX CGI or JavaServer Pages (JSP's) in either case they would need to
have an HTTP server stood up on Z/OS
- LDAP - for Certificate Revocation List (optionally off platform
(Linux/windows))
- PKI
- ICSF
- Potential Exits would be involved
If you want notifications then a Mail server would also be needed on Z/OS
-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
Wai Choi
Sent: Friday, January 31, 2020 3:43 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: [EXTERNAL] Re: Certificate revocation status checking
Hi all,
I have posted these questions last month. I have received some responses
sent directly to me. I would like to thank those who have replied.
From the responses I collected so far:
1) revocation checking is needed for applications running on the non z
platforms;
2) commercial CA is needed only for external facing servers
We have received requirement to enhance the RACDCERT generated
certificates to include multiple domain names in the Subject Alternate
Name extension. If the certificate is to be validated by the applications
running on the non z platforms and revocation status is needed to be
checked, then the RACDCERT generated certificate can not be used even we
spend the effort to add multiple domain names support.
On the other hand, z/OS PKI Services already supported the generation of
certificates with multiple domain names AND it is able to generate
certificates with revocation information, either through Certificate
Revocation List (CRL) or Online Certificate Status Protocol (OCSP).
I understand issuing a RACDCERT GENCERTcommand is much simplier than
setting up a full functioning CA. What simplications will make you
consider to use z/OS PKI Services for your internal use?
BTW, I made a typo in my previous replies. It should be corporate policy.
Regards,
Wai
Wai Choi - RACF/PKI Design and Development
From: Wai Choi <wchoi@US.IBM.COM>
To: RACF-L@LISTSERV.UGA.EDU
Date: 12/10/2019 02:38 PM
Subject: [EXTERNAL] Certificate revocation status checking
Sent by: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>
Hi all,
I believe most of the applications you use today are using digital
certificates. Would you share the answers for the following questions:
1) Do your applications need to check the revocation status of the
certificate? What is the percentage on those that require the checking vs
those that don't?
2) Does your company policy require ALL certificates to be issued by a
commercial CA? If not, how do you get them?
Thanks in advance for providing me the information.
Regards,
Wai
Wai Choi - RACF/PKI Design and Development
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic