Julien Pierre wrote:
Hi,
Ram A M wrote:
While CRLs and OCSP are probably both fine for server use;
OCSP is unsuitable for many servers' use for performance reasons. The
server usually can't afford to make an outgoing OCSP request and process
an OCSP response for every incoming connections. This process roughly
doubles the overhead of the server per incoming connection, and
therefore more than doubles the cost of running it. You'll basically
need twice as much server hardware if you use OCSP vs not using it. This
is not even taking into account the cost of running the responder.
I'm guessing here you are referring to servers
set up to accept client side certificates?
CRLs on the other hand don't have that problem. They can be downloaded
and processed at an interval much less frequent than once per connection
and locally cached. With the current NSS implementation, the additional
overhead of using CRLs in an SSL server is so small compared to all
other tasks as to not be measurable.
Wouldn't such servers be generally set up under
fairly close system administration control?
And thus take themselves out of the scope of
"default" policies such as envisaged by the
default root list distros.
I don't know much in this area - I've not seen
too much in way of servers that do client certs
nor deal with CRLs, etc. Do Mozilla actually
deliver a server?
It would be a way of simplifying the debate;
It seems as if there are two potential 'sets':
1. Firefox, etc, people who are 'average users'
and expected not to touch defaults. For this
application, OCSP may help. Phishing is a problem
with this set.
2. Servers, etc, adminstrators could be expected
to be 'savvy' and capable of dealing with CRLs and
root lists. Hackers may be a problem here, and
phishing may be a *secondary* issue, after the
info has been extracted from users, but if client
side certs are in use this would be a much more
sophisticated breach involving virus/trojan
compromise at the minimum.
Does that fly?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
