On 10/02/12 11:02, Erwann Abalea wrote:
Le mercredi 8 février 2012 21:57:09 UTC+1, Kai Engert a écrit :
My criticism:
(a)
I don't like it that the amount of CRLs will be a subset of all CRLs.
What about all the revoked certificates that aren't included in the list?
With a dynamic mechanism like OCSP (and in the future OCSP stapling) you
don't have to make a selection.
OCSPStapling doesn't work. You can have only one OCSP response by the standard,
while you need at least 2. It was defined that way in 2006 (RFC4366), and
confirmed in 2011 (RFC6066).
The fact that only 1 OCSP Response can be stapled is not a problem...if
we could just find a different way to improve revocation checking of the
intermediate CA certificate(s) in the chain.
Since there are probably very few revoked intermediate CA certificates
in the wild, why not use CRLSets just for intermediate revocation
checking? (I'd expect the size of this data to be well under 100K !)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
