How do I enable OCSP checking?

Subject: How do I enable OCSP checking?
Author: X509
In response to: Why OCSP?
Posted on: 07/01/2010 08:07:33 PM

Two ways:

Dynamic Way

     // Activate OCSP
     Security.setProperty("ocsp.enable", "true");

Static Way

Locate the file named <java-jre>/lib/security/java.security

    ocsp.enable=true

>
> On 07/01/2010 03:15:34 PM X509 wrote:

Short answer: it's faster.

Long answer:

1) CRLs may be seen as analogous to a credit card company's "bad customer list" which can grow significantly to a huge list. Locally maintaining this huge list involves both memory (you may need 4GB memory just to preload the DOD's bad customer list) footprint and synchronization issues.

2) CPLDP sounds good but not reliable due to the greater number of requests to the well known CA's URL over the Internet.

3) Since an OCSP response contains less information than a typical CRL, OCSP can feasibly provide more timely information regarding the revocation status of a certificate without burdening the network.

4) The most important reason that OCSP may play a role is that OCSP's URL can be customized. It can be pointing to any third party or your own CRL checking service or a dedicated server.

References:

Next Post: Any other parameters to customize OCSP? X509 07/01/2010 08:23:16 PM
Previous Post: Why OCSP? X509 07/01/2010 03:15:34 PM
Next Topic: Stories in urdu,hindi,pakistani,indian stories (527) suhailrizwan 06/28/2010 05:11:14 PM
Previous Topic: Security Token Service (STS) authen 06/05/2010 07:10:58 PM
Index: by Date
Index: by Topic