[Swan-dev] atoi -- just say no
Paul Wouters
paul at nohats.ca
Tue May 20 19:13:16 EEST 2014
On Mon, 19 May 2014, D. Hugh Redelmeier wrote:
> | Although I did notice:
> |
> | case 'x': /* --crlcheckinterval <time>*/
> | ugh = ttoul(optarg, 0, 10, &u);
> | if (ugh != NULL)
> | break;
> | crl_check_interval = u;
> | continue;
> |
> | This is one that is not range checked. What would be a good ceiling for crl fetch intervals?
>
> I don't know any, so I didn't put one in.
I don't know of any real guidelines here. Googling shows this microsoft
page:
http://technet.microsoft.com/es-es/library/ee619783%28v=ws.10%29.aspx
Overlapping CRL and OCSP validity periods
You must determine the validity period for CRL and OCSP responses based
on your risk assessment. Generally, you should implement your CA so that
it overlaps validity periods. For example, you could publish base CRLs
daily with a validity period of two days. To determine the validity
period for CRLs, use the following guidelines:
The validity period for issuing CAs should be no less than 12 hours
(especially if using LDAP URLs in AD DS).
CRLs should not be updated more frequently than every eight hours.
The validity period for CRLs at offline CAs is typically between
three and six months.
Since we don't really have a good idea, even about orders of magnitude,
I guess we should not enforce any limit on the user.
Paul
More information about the Swan-dev
mailing list