RE: OCSP and LDAP

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

"Ambarish Malpani" <ambarish@xxxxxxxxxxx> writes:

>I have still to see a place where using CRLs as the mechanism for letting a
>VA know of changes in the revocation data has led to poorer performance than
>having the VA access the CA's database directly.

Most of the CAs I know of issues CRLs a few times a day, some as infrequently
as once a day.  If I'm doing processing with any kind of value attached to the
transaction, I want to know whether the cert is valid right now, not whether
it was OK last night when the CRL was issued (substitute "credit card" for
"cert" to see why this is important).  I have never seen a situation where an
offline CRL gives better performance than a real-time check of a live
database, unless you happen to catch it just as the CRL is being issued, which
(for a 24-hour CRL time) only works about once in 86,400 times.

I think one of the reasons why there aren't more complaints about CRLs is
because so many apps only pay lip service to revocation checking, so it
doesn't really matter if it doesn't work proprely ("We go through the motions
because the CA policy requires it"/"It's turned off by default, but we can
claim it's there"/"We realise the CRL is almost always out of date, but our
accounting processes should catch any problems"/etc are all excuses I've
heard).  If you build a system where you can tell users that there's a simple
online check which guarantees that at the time the check was done the cert was
valid (rather than being valid a couple of hours ago) following the credit
card model that businesses are used to, perhaps people would lend more weight
to the value of checking.  Actually, as mentioned in my previous message,
implementors are already doing this, and have been doing it for some time,
because people care about real-time cert status information, it's just not
standardised in any spec (yet :-) so you get a pile of proprietary ways of
doing it.

Peter.