RE: OCSP and LDAP

["Simon Tardell" <simon@xxxxxxxxxx>]

Peter,

> Most of the CAs I know of issues CRLs a few times a day, some 
> as infrequently as once a day.  If I'm doing processing with 
> any kind of value attached to the transaction, I want to know 
> whether the cert is valid right now, not whether it was OK 
> last night when the CRL was issued (substitute "credit card" 
> for "cert" to see why this is important).  I have never seen 
> a situation where an offline CRL gives better performance 
> than a real-time check of a live database, unless you happen 
> to catch it just as the CRL is being issued, which (for a 
> 24-hour CRL time) only works about once in 86,400 times.

This argument is backwards: The CAs are doing the minimum that they can
while still conforming to the model, because noone is (as you correctly
note) really asking for CRLs (or revocation checking in any other way)
more than as a checkbox item. It doesn't mean that they can't. When need
arises, they can switch to issuing one delta per revocation and push
that their OCSP responders. 

It is just as up to date as coupling an OCSP responder directly to the
CA database, and it keeps the CA offline. The only thing missing, from a
standards perspective, is to specify the push protocol. 

Simon

Simon Tardell, cell +46 70 3198319, simon@xxxxxxxxxx