Gervase,
Gervase Markham wrote:
Frank Hecker wrote:
* This approach is also not dependent on SSL, much less on CA revocation of SSL certs. It's also presumably significant faster to detect and shutdown sites than an approach based on OCSP validation of certs, since IIRC the current state of OCSP is that the timeframe for revocation is driven by the schedule for issuance of CRLs, i.e., the results of an OCSP check are not necessarily any more up to date than the results of a CRL check.
Even if that's true, it could not be in the future. And I would hope such events would be rare enough to cause an out-of-time CRL update and corresponding OCSP update.
There is nothing that disallows an OCSP responder from providing up-to-date information, even though it isn't required by RFCs to be more up-to-date than CRLs.
FYI, currently NSS always looks at CRLs, if available locally, and it looks at OCSP if enabled. So in some cases, NSS will check both.
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
