> It seems like OCSP and CRL both are vulnerable to DOS.
The difference is that if you can't get to the OCSP rseponder, you know.
You don't have a positive -- cert hasn't been revoked -- response.
If you can't get to the CRL, you don't know. You don't know if there is a
new CRL to get or not. That is why many protocols and data formats (e.g.,
PKCS#7), allow you to include a CRL with the data, so you can show your
receiver what data you had at the time.
It would be nice if TLS could include CRLs in the cert exchange.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
