Comparison To CRLs
- Since an OCSP response contains less information than a typical CRL (certificate revocation list), OCSP can feasibly provide more timely information regarding the revocation status of a certificate without burdening the network. However, the greater number of requests and connection overhead may overwhelm this benefit if the client does not cache responses.
- Using OCSP, clients do not need to parse CRLs themselves, saving client-side complexity. However, this is balanced by the practical need to maintain a cache. In practice, such considerations are of little consequence, since most applications rely on third-party libraries for all X.509 functions.
- CRLs may be seen as analogous to a credit card company's "bad customer list" – an unnecessary public exposure.
- OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so this information also may be intercepted by other parties.
Read more about this topic: Online Certificate Status Protocol
Famous quotes containing the word comparison:
“From top to bottom of the ladder, greed is aroused without knowing where to find ultimate foothold. Nothing can calm it, since its goal is far beyond all it can attain. Reality seems valueless by comparison with the dreams of fevered imaginations; reality is therefore abandoned.”
—Emile Durkheim (1858–1917)
Related Phrases
Related Words