[webkit-dev] OCSP vs. CRL

Paul Pedriana ppedriana at gmail.com
Sun Feb 1 21:58:13 PST 2009

We are looking at adding revocation support to our TLS/SSL 
implementation. OCSP seems like it might be a lower overhead system for 
us to support. I'd like to avoid supporting both OCSP and CRL if 
possible. I'm wondering how well OCSP works in practice. Towards the 
bottom of the OCSP Wikipedia page listed below there is a comment about 
performance issues of OCSP on Safari, though perhaps it is out of date. 
I'm wondering if there is any practical experience that can give us 
reasons to support one of these or necessarily both.

Online Certificate Status Protocol (OCSP)
RFC 2560 (http://tools.ietf.org/html/rfc2560)

Certificate Revocation Lists (CRL)
RFC 3280 (http://tools.ietf.org/html/rfc3280)

More information about the webkit-dev mailing list