RE: OCSP and LDAP

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

"Ambarish Malpani" <ambarish@xxxxxxxxxxx> writes:

>You should seriously consider having your responder work off a CA's CRL,
>rather than trying to access its database directly. There are a set of
>reasons why this is a good idea. Here are are few (in no particular order):

You should seriously consider having your responder work off a CA's database
rather than trying to use CRLs. There are a set of reasons why this is a good
idea. Here are are few (in no particular order):

- Real-time cert status rather than inserting an artificial delay for
  compatibility with OSI ideology (someone once said that the only reason
  you'd want to drive an online status protocol from an offline mechanism
  is if you wanted to emphasise how broken it was [0]).

- Much better performance (I have an RFC draft in the works which looks at
  this which should be out RSN, I hope).  You can't build a faster system than
  the one described in the RFC.

  (Actually in the process of working on the RFC draft, I've discovered that
  there are already a surprising number of implementations which work directly
  from a CA database, some dating back to before OCSP was even an RFC.
  Standardising this operation, rather than having everyone do their own
  proprietary version, was one of the motivations for writing the draft).

[0] I've lost the source of this quote, if it's yours please let me know so I
    can attribute it.

Hope this helps,
Regards,
Peter.