https://bz.apache.org/bugzilla/show_bug.cgi?id=56148
--- Comment #24 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to logo from comment #22) > @Chris: while this may be true for LE, I haven't read anything about > terminating OCSP in browsers or any other CA. In July 2023, the CAB forum removed the requirement for CAs to support OSCP. > For myself I use OCSP for my internal CA (SmallStep) and I'm far more > comfortable with the online version than having to recreate CRLs myself and > reload them manually in Tomcat. Are you talking about clients (browsers) checking server certificates, or servers (e.g. Tomcat) checking client certificates? Because you NEVER have to load a CRL into Tomcat unless you are performing client-certificate validation on your server. > Beware CRLs in the regular CAs are not optimized and can still become > painfully big. Cascading bloom filters will set you free. Every certificate revocation in the history of x509 certificates can fix into a few kilobytes. And you don't need every cert revoked for all time, you only need the ones that were revoked before their expirations. I don't really have a dog in this fight, but I do have to admit that I think CRLite can fix the "revocation problem" -- which has NEVER been adequately solved in the past -- once and for all. OCSP was another attempt at fixing things that came with a whole bunch of other problems itself. My comment #20 was intended to provide a small update to this old OLD issue request because it's possible that the industry is going to move away from OCSP and anything we don't have to implement, we shouldn't. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
