> It seems like OCSP and CRL both are vulnerable to DOS. The difference is that if you can't get to the OCSP rseponder, you know. You don't have a positive -- cert hasn't been revoked -- response.
If you can't get to the CRL, you don't know. You don't know if there is a new CRL to get or not. That is why many protocols and data formats (e.g., PKCS#7), allow you to include a CRL with the data, so you can show your receiver what data you had at the time. It would be nice if TLS could include CRLs in the cert exchange. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]