Panasonic NN46110-600 User Manual

Chapter 3 Using certificates 91

Figure 15

CRL distribution points

A tunnel is established more quickly if you authenticate only against the specified
CRL in certificates CDP. When you present a certificate for verification, a CDP
from your certificate is obtained. Using that CDP information, a filter for LDAP
query is built and only CRL records that match your CDP are obtained. That way
you are authenticated against one CRL instead of all available CRLs.

Even if the list of CRLs is long, it does not affect performance of the VPN Router
because only one CRL is used. If CRL checking is set to mandatory and CRLs are

not present on the VPN Router, a request is made to CA LDAP to obtain only the
CRL specified in the user's certificate CDP. Only that CRL is loaded into VPN

Router LDAP.

When CRL optimization is enabled, CRL checking is performed by Global CRL
collection, which is stored in VPN Router memory. When CDP support is

implemented, a user’s certificate obtained from the Entrust CA is verified against

one CRL from Global CRL collection.

Nortel VPN Router Security — Servers, Authentication, and Certificates