Hi,
Ram A M wrote:
While CRLs and OCSP are probably both fine for server use;
OCSP is unsuitable for many servers' use for performance reasons. The server usually can't afford to make an outgoing OCSP request and process an OCSP response for every incoming connections. This process roughly doubles the overhead of the server per incoming connection, and therefore more than doubles the cost of running it. You'll basically need twice as much server hardware if you use OCSP vs not using it. This is not even taking into account the cost of running the responder.
CRLs on the other hand don't have that problem. They can be downloaded and processed at an interval much less frequent than once per connection and locally cached. With the current NSS implementation, the additional overhead of using CRLs in an SSL server is so small compared to all other tasks as to not be measurable.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
