[webkit-dev] OCSP vs. CRL
ppedriana at gmail.com
Sun Feb 1 21:58:13 PST 2009
We are looking at adding revocation support to our TLS/SSL
implementation. OCSP seems like it might be a lower overhead system for
us to support. I'd like to avoid supporting both OCSP and CRL if
possible. I'm wondering how well OCSP works in practice. Towards the
bottom of the OCSP Wikipedia page listed below there is a comment about
performance issues of OCSP on Safari, though perhaps it is out of date.
I'm wondering if there is any practical experience that can give us
reasons to support one of these or necessarily both.
Online Certificate Status Protocol (OCSP)
RFC 2560 (http://tools.ietf.org/html/rfc2560)
Certificate Revocation Lists (CRL)
RFC 3280 (http://tools.ietf.org/html/rfc3280)
More information about the webkit-dev