> Having OCSP/CRL will help. Actually, that is not at all clear.
http://www.imperialviolet.org/2011/03/18/revocation.html http://www.ietf.org/mail-archive/web/websec/current/msg00296.html Compound the generally low reliability and performance of CAs' OCSP and CRL endpoints, multiply that times the poor connectivity you get on mobile platforms, and revocation checking starts to look like a real loser. Even in the best circumstances, checking OCSP or a CRL seriously impacts the latency of setting up a TLS connection. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.