Forum Discussion

smilanko_261688's avatar
Jul 28, 2016

CRL vs Checking if account is disabled

When it comes to CAC authentication, is there a particular benefit in checking if certificates from the CAC were revoked using a CRL as opposed to parsing out the CN value(identifier in AD) to see if the account is enabled?

 

I do not know what the common practice is in system administration for disabling accounts and revoking certificates, so I am really unable to answer this question. If the two actions are tied together, say when the certs are revoked the AD account is set to disabled, is there a key advantage in performing one over the other? My intuition leads me to believe that checking against the AD would 'always' be more accurate than the CRL or even OCSP. In other words, I feel that checking in AD to see if the account is disabled is more "authoritative" over a CRL.

 

1 Reply

  • i agree with you, CRLs are more meant when there isn't another source to check. i mean an AD is not always involved and then CRLs are nice. but certainly the delay can be an issue.