There are other differences: CRL's can be big An org might consider its CRL private info ("ooh look, Fred must have gotten fired") It's hard to *prove* you consulted a CRL; for OCSP use a hash of your "real" document as the nonce, and save the response. An OCSP responder can work off "faster" information than just the CA's CRL.
hope this helps. /r$ -- Zolera Systems, http://www.zolera.com Information Integrity, XML Security ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]