I would assume most CAs support some form of revocation, the practices probably vary more on frequency of updates and type of service (monthly vs hourly and CRL vs OCSP). Also some CAs include automated retrieval data in certificates (CDPs and OCSP AIAs) while others don't.
Revocation is considered a basic part of the PKI system. As far back as 1995 Apple was pointing their "DigiSign" users at an IVR based revocation status server. Size can be a significant issue in CRLs, especially for slower network connections. The biggest CRL VeriSign publishes is nearly 700KB. The average is probably around 80KB, the mode and median are 1KB. There is a very strong correlelation between the depth of the CRL in a hierarchy and its size such that the CRLs for the roots are typically under 1KB while the leaves can are much larger. This is one of the primary benefits of OCSP and is particularly relevant when timeliness is significant (pulling a big CRL once a month is a very different thing than pulling it once per site-visit). FF does supports using OCSP (and is compatible with at least one CA's OCSP service - I have my FF set up this way). Using CRLs or OCSP properly includes respecting update intervals which may be specified at the HTTP layer. Any update method for CRLs is probably better than no revocation support. For folks with slow connections perhaps it is preferrable to perform opportune downloads using idle network time to pull data. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
