On 5/10/05, Jean-Marc Desperrier <[EMAIL PROTECTED]> wrote: > Ram A Moskovitz wrote: > > For codesigning CRLs VeriSign is currently taking the hit and keep > > advising revoked certificates are revoked long after they expire > > because of limitations in software clients which will hopefully > > someday be upgraded with respect to revocation checking. This is very > > expensive for us > > ?? Your publicly available codesigning crl here > http://crl.verisign.com/ are all very small compared with the server > certificate crl, even with the old cert.
There are many more PKI enhanced http servers than software publishers. > If all your users were switching to OCSP, the required bandwidth would > be more expensive I think. There may be cases where CRL requests are cheaper to service than OCSP ones, that's generally not the case where large scale service is required. In either case I think it's better for everyone if OCSP is used instead of CRLs. There has been plenty of discussion on the IETF lists if you want more content, here are a couple of relevant links back into npmc: http://groups-beta.google.com/group/netscape.public.mozilla.crypto/msg/8948ca5ba28c1119?hl=en http://groups-beta.google.com/group/netscape.public.mozilla.crypto/msg/a106c8e04cd502f2?hl=en VeriSign has been running online certificate validation services since it deployed the first commercial one in 1997. Shortly thereafter VeriSign and other companies began working within the IETF to standardize the thing and two years later RFC 2560 OCSP was published. If it were up to us user agents would look at a certificate to determine what revocation method is supported which in our case is generally OCSP primary with support for fall back to CRL (if you are offline or cannot reach the server for any reason). _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
