5 Replies Latest reply on Jun 18, 2010 7:30 PM by Arild

    Frequent CRL downloads

      A few days ago we received an email from a commercial Certificate Authority.

      They had observed about 10.000 crl downloads last week from a address belonging to a MWG we have installed for one of our customers, and "threatened" to blacklist our IP-address.

      The number of crl downloads surprised us, since the MWG is scheduled to download crl's only once a day.

      The policies are set up to only allow https access to sites with certificates from CA's the MWG trusts, and not to allow access to sites whos certificates are proven revoked.

      To verify if a certificate has been revoked, the MWG must read the CRL from the issuer, that's for sure.

      But we excpected it to read it from it's local copy, from the scheduled download.

      Or, at least, if it downloads it because of a clients request to a https site, that it cached it and used the cached copy for a period afterwards.

      With over 10.000 crl downloads in a week from 1 CA, it doesn't look like it uses a local copy a lot to me ....


      Anyone who had similar experiences, or an explanation to this behavior?

      Should it be this way?



      Message was edited by: Arild on 6/17/10 12:17:54 PM CDT



      Message was edited by: Arild on 6/18/10 3:28:11 AM CDT