>>I'd have to say though that the CDP field works rather well. I run a
rather
>>large set of CAs. When we were just using the monolithic CRL, each client
>>takes a long time to do verification of certificates. When we switched to
>>the distribution point extension, verification checking time fell
>>considerably.
Depends on which CA server you are using and on how large the CRL is. We
have processed CRLs larger than 8kb in under a second but it took that CA
over 60 seconds to respond to the request to send the CRL. Other vendors CA
servers respond much faster. With a small CA and a fast responding server
it could take longer to verify the signature on the CRL than it takes to
actually get the CRL and check the contents.
michael
