[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking client certificates against CRLs

To: Mike Jackson <mj@netauth.com>
Subject: Re: Checking client certificates against CRLs
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 14 Apr 2014 21:56:27 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <11436C50-97A9-4098-AA1E-FF6115D2D631@netauth.com>
References: <68C970A5-824D-4F44-A77C-5A992EAED268@aqwari.net> <ded618d5c3553bd524053739f7ba0294@srv1.stroeder.com> <04537714-938C-424B-8F31-85A8BD56BBA5@netauth.com> <53458B64.3080207@symas.com> <11436C50-97A9-4098-AA1E-FF6115D2D631@netauth.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25

Mike Jackson wrote:
> OCSP is, IMO, far preferable because it can perform delta CRL checking
> behind the scenes, removes the need to implement delta CRL checking in the
> clients, simplifies your certificate profiles, and is overall better for
> the network for a few reasons.

Such a general statement regarding CRL vs. OCSP is nonsense.

If you have really high traffic checking client certs against a local
black-list (CRL) is much better.

Also OCSP is a privacy nightmare.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Checking client certificates against CRLs
  - From: David Arroyo <droyo@aqwari.net>
- Re: Checking client certificates against CRLs
  - From: "Michael StrÃder" <michael@stroeder.com>
- Re: Checking client certificates against CRLs
  - From: Mike Jackson <mj@netauth.com>
- Re: Checking client certificates against CRLs
  - From: Howard Chu <hyc@symas.com>
- Re: Checking client certificates against CRLs
  - From: Mike Jackson <mj@netauth.com>

Prev by Date: Re: CRL with OpenSSL
Next by Date: Re: CRL with OpenSSL
Index(es):
- Chronological
- Thread