> From: Vincent Truchsess - rockenstein AG <vt@xxxxxxxxxxxxxx> > Sent: Friday, 4 December, 2020 08:59 > > That would be the the ideal solution. The problem is that the customer's > security-policy demands dedicated hardware performing IDS/IPS functionality > at the point of TLS-termination. The devices at hand do not provide the > functionality to call a user-defined external service for certificate > validation apart from OCSP. > > The future workaround will be a mockup OCSP-responder but that solution will > need some time for implementation. our current focus lies on a rather quick > than perfect solution that buys some time to ship something more solid. Ah, I see. Thanks for the clarification. I don't offhand see a quick workaround for your situation. I'm not sure what would happen if you cross-signed all the client certificates with a CA under your control, and then generated a CRL for the ones you want to exclude. Or actually you could just cross-sign only the ones you want to allow, and made your CA the only trust root for the TLS termination systems; that would work. But I'm guessing modifying every client certificate is not a feasible solution for you either. If it is, cross-signing with a CA under your control and trusting only that CA is probably the approach I'd go for. That's a legitimate approach under PKIX. It could even be mostly automated, except the end users would have to install updated user certificates, which is probably a deal-breaker. -- Michael Wojcik
