|
|
|
|
|
|
by count
5347 days ago
|
|
|
Just a nitpick, but OCSPs is not the plural of OCSP, and you don't 'download' it the way a CRL works. OCSP stands for 'Online' Certificate Status Protocol, and is a query/response protocol, that functions much like the DNS - you don't download the whole deal, you ask about the validity of a specific, single record, and get a 'yes'/'no' response. OCSP is a privacy problem, as well as a bottleneck/performance problem for any large, non-organizational CA, such as Verisign and their compatriots. Every single SSL certificate must be checked at each handshake in order to make sure it hasn't be revoked in the past 'n' hours (there is some caching, which kind of defeats the purpose). This means that in practice, the CA's know who is visiting what sites, and that they must be online and active and responding in a timely fashion (like the DNS) before a browser will allow an HTTPS connection. |
|
|