[caops-wg] OCSP section 4
Olle Mulmo
mulmo at pdc.kth.se
Fri Jun 3 04:41:22 CDT 2005
On Jun 3, 2005, at 01:30, Mike Helm wrote:
> I think it is hard to make one rite answer & don't have a strong
> opinion on this,
> but why _wouldn't_ the static info (local CRL) be the usual first
> test? Isn't it
> always the cheapest test? Since it should _never_ be better than the
> the OCSP check, checking it last seems useless unless (and only unless)
> all the OCSP responses are timeouts or unknown. So just do it first
> and then forget it (see above).
I'm not sure the gain outweighs the additional complexity. How many
percent of the issued certificates are typically revoked? That's the
maximum reduction of OCSP queries that you would get as a result. Plus,
you have to watch out when encoding the logic: if you process the CRL
first, the cert not being in the CRL should equal "unknown" and you
should continue looking at other places; if you process the CRL last
and the cert is not in the CRL, it should evaluate to "good".
IMO, it's only when you run a well-managed central service that you
would really gain by query CRLs first, and assume that a non-entry
means "good", as that requires proper conduct in regards to keeping the
local CRL updated. The text in 4.2 should be enhanced to reflect this
consideration.
We all know what disaster it is to have CRLs on client machines where
we couldn't control such a conduct -- we shouldn't even try that again.
Also, one has to weigh in risk into the equation. For instance, a
service may trust the locally cached CRL for HTTPS handshakes, but make
an extra OCSP query before processing a transaction worth > €10,000.
This is of course under the assumption that the OCSP query would return
a state that is fresher (more fresh?) than what's available in the
local CRL.
/Olle
More information about the caops-wg
mailing list