Jean-Marc Desperrier wrote: > Duane wrote: > >> The gain is in the potential to notice revocations sooner with OCSP, CRL >> might have a 7 day TTL/cache time-out, in 7 days a lot of "issues" can >> arise, so being about to check OCSP hourly or even more often has the >> potential to notify you that something is a miss much sooner... > > > If you follow the discussion, Ram says we'll have a *bandwitdh* issue > with CRL.
As long as clients adhere to the CRL TTL I don't see how. If a CA was feeling pressured by downloads they could simply increase the TTL and subsequent downloads would be spaced further apart, but then this becomes an issue for other reasons... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
