| |
Why OCSP? |
|
|
Subject: Why OCSP?
Author: X509
In response to: What's the order then?
Posted on: 07/01/2010 03:15:34 PM
Short answer: it's faster.
Long answer:
1) CRLs may be seen as analogous to a credit card company's "bad customer list" which can grow significantly to a huge list. Locally maintaining this huge list involves both memory (you may need 4GB memory just to preload the DOD's bad customer list) footprint and synchronization issues.
2) CPLDP sounds good but not reliable due to the greater number of requests to the well known CA's URL over the Internet.
3) Since an OCSP response contains less information than a typical CRL, OCSP can feasibly provide more timely information regarding the revocation status of a certificate without burdening the network.
4) The most important reason that OCSP may play a role is that OCSP's URL can be customized. It can be pointing to any third party or your own CRL checking service or a dedicated server.
>
> On 07/01/2010 02:49:19 PM X509 wrote:
The three ways can be activated at the same time for certificate checking, but the process follows the order:
OCSP --> CRLDP --> CRL File
If the incoming certificate passes OCSP checkpoint, then CRLDP, and CRL File at last.
References:
|
|
|
|
