CRL vs OCSP
CRL(certificate revocation list):-
+when
a browser accesses an HTTPS URL, it verifies the server’s certificate.
During the verification process, it will also check for revocation;
+Serial number is noted down.
+it downloads a CRL file from url mentioned in CRL distribution points
+In
CRL file it checks whether evernote serial number present or not, if
present then we get an error saying “certificate is revoked”
Disadvantages:-
=============
+has to check 1000's of lines
+CRL is updated every 5-15 days,till then it is will be trusted.
+if CRL file is not downloaded, the site will be trusted
OCSP(Online Certificate Status Protocol):-
Browser---OCSP req(Serial num)----------------------->CA
Browser<---OCSP response(Good/Bad/Revoked/Unknown)---CA
+Client sends OCSP Request to a OCSP Responder (over HTTP) with the certificates serial number.
+OCSP Responder replies with a certificate status of either Good, Revoked or Unknown
0 Response to "CRL vs OCSP"
Post a Comment