Rich, if the device itself does cert validation, yes, I would agree with you. But there may be other options where head ends or some other kind of proxy (more capable than the devices themselves) perform validation on behalf of downstream devices. In such cases, CRLs might be more efficient than issuing many unique OCSP requests.
From: Richard Moore [mailto:[email protected]] Sent: Monday, December 08, 2014 1:21 PM To: [email protected] Subject: Re: [Uta] (extra) WGLC for draft-ietf-uta-tls-bcp-07.txt On 8 December 2014 at 20:33, Rick Andrews <[email protected]<mailto:[email protected]>> wrote: Still, I wouldn't remove the discussion of CRLs. It's possible that they will prove better than alternatives in some IoT applications. Really? I'm not sure how small devices will even be able to hold the CRLs given the size let alone process them? I'd have thought something along the lines of the must-staple certificate extension would be a lot more practical there. Rich.
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
