Ian,
Ian G wrote:
Nelson's point was that CRLs become unbounded; but that's not a problem
(a) if there are no disputes or (b) in an OCSP world. Pick (a) or (b).
Uh ?
In case a, even if there are no disputes, the CRL consumers all have to
update the ever-growing CRLs. This can consume gigantic amounts of
network bandwidth over time, especially if both the CRL and the number
of consumers of that CRL grows.
As for case b, if I understand correctly, you are saying CRLs growing
unbounded is not a problem in a world without CRLs. Right :) ?
The fact is that both CRLs and OCSP have their uses, in different places.
IMO, CRLs belong on backends, which have to process large volume of
incoming transactions, and can't afford to send outgoing OCSP requests
for all their incoming requests, under severe performance penalties.
OCSP is better suited for client apps, which should encounter a
relatively small number of certs from a given CA.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
