CRL vs OCSP

CRL(certificate revocation list):-







+when a browser accesses an HTTPS URL, it verifies the server’s certificate. During the verification process, it will also check for revocation;
+Serial number is noted down.
+it downloads a CRL file from url mentioned in CRL distribution points
+In CRL file it checks whether evernote serial number present or not, if present then we get an error saying “certificate is revoked”
Disadvantages:-
=============
+has to check 1000's of lines
+CRL is updated every 5-15 days,till then it is will be trusted.
+if CRL file is not downloaded, the site will be trusted
 
 
OCSP(Online Certificate Status Protocol):-
Browser---OCSP req(Serial num)----------------------->CA
Browser<---OCSP response(Good/Bad/Revoked/Unknown)---CA
+Client sends OCSP Request to a OCSP Responder (over HTTP) with the certificates serial number.
+OCSP Responder replies with a certificate status of either Good, Revoked or Unknown
 
 



0 Response to "CRL vs OCSP"

Post a Comment

Powered by Blogger