Jean-Marc Desperrier wrote: > But the one case in real life where servers were down on their knees, > was not a case where OCSP would be likely to have brought a real > advantage. And as both CRL and OCSP are distributed over HTTP, there is > not a clear reason why one can be scaled and not the other, as soon as > we're not in a situation where one of the two as a much larger bandwidth > requirement.
The gain is in the potential to notice revocations sooner with OCSP, CRL might have a 7 day TTL/cache time-out, in 7 days a lot of "issues" can arise, so being about to check OCSP hourly or even more often has the potential to notify you that something is a miss much sooner... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
