Revocation services are a basic part of the PKI model, I expect most if not all CAs offer at least CRLs.
CRLs can get quite large. This is mostly true for the leaf CAs (to keep root safer they are often kept offline and locked up in N-tier safe that require many bodies to open and other modies to activate); the root CAs then typically issue only a handful of certifiates and so their CRLs are typically under 1000 bytes. The CAs that do the bulk of the issuance may have large CRLs (the biggest VeriSign one is nearly 700KB! while the mode and median are sub 1KB). OCSP scales much better and is probably better suited for client uses than CRLs. While CRLs and OCSP are probably both fine for server use; more sensitive transactions should use OCSP as the data can be more timely (VeriSign OCSP is generally updated within minutes where as CRLs are updated much less frequently; there are real-time OCSP services available to 'managed hierarchy' customers with severe requirements). HTTP caching of OCSP or CRLs is probably a requirement for revocation to be managable for the user and the service provicer. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
