> > Certificate Revocation Lists (CRLs) provide the most supported > > revocationinformation distribution mechanism. Although updates to > > the CRLformat (e.g., partitioned CRLs, delta CRLs) have been defined > > toaddress scalability issues, they are rarely used in favor of more > > compact formats. However, it is important to notice that the use of > > CRLs might provide better privacy-preserving properties than other > > protocols (e.g., OCSP), especially when considering the validation of > > client-side certificate.
Are you using CRL as a generic term -- to include tihngs like CRLset, for example? If so, then this makes sense. But if so, then I think the wording needs to be tweaked, since portioning and delta CRL's are only for the classic X.509 CRL structures.But then if it does include generic, then Chrome support for CRLSet is a pretty widely deployed use on the Web. The private point raised is important. Not sure if it's important for client certificates (since you've already decided to give the server your cert); I do think it is VERY important for server-side certificates, where not letting national-scale adversaries know where you might be connecting is (well, er) key. -- Principal Security Engineer, Akamai Technologies IM: [email protected] Twitter: RichSalz _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
