Ian,
Ian G wrote:
On 31/1/09 03:56, Kyle Hamilton wrote:
The PKIX standard can deal with problems of this extent.
If an implementation of the standard cannot, then the implementation
is nonconforming, and cannot be expected to interoperate.
Do you mean, an implementation should be able to deal with a CRL of any
size?
I thought the whole OCSP thing was about the realisation that CRLs were
basically impractical out in userland? Don't get me wrong, I'm not
trying to start an argument here, but it seems pretty tough to blame an
application for not being able to cope for something we've already moved
on from.
You thought wrong. OCSP is not a replacement for CRLs. They both have
different use cases.
On the server side, OCSP is not suitable, and CRLs must be used. Servers
need to be prepared to handle large CRLs. NSS has been able to do so for
a long time.
On the client side, OCSP makes much more sense.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
