[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cached OCSP responses vs. single entry CRLs

To: "Carl Wallace" <cwallace@xxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Cached OCSP responses vs. single entry CRLs
From: "Ryan M. Hurst" <rmh@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 5 Dec 2003 15:30:21 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcO7hP1o5LzWA0tlTu2VJOU0Avl1CgAAjQfA
Thread-topic: Cached OCSP responses vs. single entry CRLs

Carl there are a number of reasons, one of the most significant being
backwards compatibility; many existing client implementations do not
support partitioned CRLs and there is not way to tell from a CDP if the
data on the other end represents a partitioned CRL or a full one.

Additionally there are commercial OCSP responders out there that support
this concept, yet very few CAs support the use of portioned CRLs to that
granularity.

Ryan

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Carl Wallace
Sent: Friday, December 05, 2003 1:09 PM
To: ietf-pkix@xxxxxxx
Subject: Cached OCSP responses vs. single entry CRLs


Why use OCSP to convey pre-produced revocation information in the way
that's
being discussed?  Why not use single entry CRLs?  The functionality is
similar and they could be propagated using existing technology (e.g.
directories, 3280 compliant path processing clients, etc.).

Follow-Ups:
- Re: Cached OCSP responses vs. single entry CRLs
  - From: Jean-Marc Desperrier

Prev by Date: RE: Cached OCSP responses vs. single entry CRLs
Next by Date: RE: DISCUSS: MUST reject in OCSPv1
Previous by thread: RE: Cached OCSP responses vs. single entry CRLs
Next by thread: Re: Cached OCSP responses vs. single entry CRLs
Index(es):
- Date
- Thread