>On 31/1/09 03:56, Kyle Hamilton wrote: >>The PKIX standard can deal with problems of this extent. >> >>If an implementation of the standard cannot, then the implementation >>is nonconforming, and cannot be expected to interoperate. > > >Do you mean, an implementation should be able to deal with a CRL of any size?
I don't know whether it is what Kyle meant, but it is certainly what I meant. If a trust anchor has a CRL that is too large for for the implementation to handle, the implementation MUST remove that trust anchor from its pile. >I thought the whole OCSP thing was about the realisation that CRLs were >basically impractical out in userland? You thought wrong, then. >Don't get me wrong, I'm not trying to start an argument here, but it seems >pretty tough to blame an application for not being able to cope for something >we've already moved on from. We have not moved on from CRLs, as RFC 5280 makes clear. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
