[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking client certificates against CRLs

Mike Jackson wrote:
> OCSP is, IMO, far preferable because it can perform delta CRL checking
> behind the scenes, removes the need to implement delta CRL checking in the
> clients, simplifies your certificate profiles, and is overall better for
> the network for a few reasons.

Such a general statement regarding CRL vs. OCSP is nonsense.

If you have really high traffic checking client certs against a local
black-list (CRL) is much better.

Also OCSP is a privacy nightmare.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature