Franklin Lee wrote:
>
> Dear ChuHo,
>
> Thanks for your help.
>
> Dear all,
> Today, I have consolidated some data as researched from the web. Please see
> the attached. Though are very priliminary, would greatly be appreicated for
> any comments regarding:
>
> - security considerations (whether there issues to distribute the CRL with
> either protocol?)
> - performance (which would be more suitable? which would be faster in terms
> of the speed of retrieval/processing)
Hi,
I would just add some consideration about the contents of the CRLs. Indeed CRLs
have their contents signed by the CA so the data (that is public) is protected
against forgery or alteration by the signature: security transmission layer
is therefore not required while transferring CRLs.
Moreover many application will make the secure connection unavailable with
servers using certificates them do not have up-to-date CRLs (this is the case
of Netscape which, once imported a CRL for that CA, will not establish SSL
conection to such servers if the CRL is not valid, i.e. expired).
Reguarding Protocolos to be used I think (but this is only a personal opinion)
that today the HTTP (not HTTPs) is the fastest and most diffused protocol for
distributing CRLs. It could be used the FTP too, but actually no application
I know support this kind of protocol. The main reason I say this is that
by now no real support for LDAPv3 have been pubblicly and widely available
as OpenSource software (OpenLDAP still is v2) and the HTTP protocol is supported
by every application I have seen: so HTTP is the cheapest available by now and
the easiest to set up.
Theese considerations are strictly connected on the current situation about
software availability and I think them will change soon (1 year) as the LDAP
support will be added to most of the available applications.
I suggest you to consider some other form of certificate validity such as
OCSP, SCVP available on the ietf pages (and mailing lists) (www.ietf.org).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
