An implementation should be able to deal with a CRL of any size, that is indeed what I'm saying. CRLs are also the ONLY revocation mechanism specified by X.509. (As well, they're also still specified in RFC 5280, which means that a fully-conforming implementation of the Internet PKI must handle CRLs as-specified.)
OCSP was created due to realizations about the problems associated with CRLs, including transfer time. OCSP is also ONLY defined by PKIX, and is only an adjunct to the CRL mechanism. (Put another way, the CRL is the "least common denominator". If an implementation can't deal with it, it is opening itself to an attack for any CA that only issues CRLs and does not provide an OCSP responder.) -Kyle H On Sat, Jan 31, 2009 at 6:05 AM, Ian G <i...@iang.org> wrote: > On 31/1/09 03:56, Kyle Hamilton wrote: >> >> The PKIX standard can deal with problems of this extent. >> >> If an implementation of the standard cannot, then the implementation >> is nonconforming, and cannot be expected to interoperate. > > > Do you mean, an implementation should be able to deal with a CRL of any > size? > > I thought the whole OCSP thing was about the realisation that CRLs were > basically impractical out in userland? Don't get me wrong, I'm not trying > to start an argument here, but it seems pretty tough to blame an application > for not being able to cope for something we've already moved on from. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
