Class -- compare and contrast -- Rich Salz writes: > > Well, make that hard choice: do you want to have your software fail > > when an up-to-date CRL is not available, or do you want to make your > > software susceptible to a denial-of-service attack on the CRL distro > > process? > > Exactly. Security is all about risk management. Which is more likely ...
> If you really care, have your CA issue a CRL-issuing-certs to someone else. [believe that's an indirect crl] A well known openssl personage writes (in a private response to me): > On Sun, Jan 18, 2004, Michael Helm wrote: > > Can openssl validate certs against delta crls? Indirect crl's? > It doesn't at present but might in future if there's enough interest or if > any CAs actually start using the things. How do we escape from this deadlock? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
