Security Hype 7.4 - OCSP, CRL, and Vista's new SSL tricks: Play Now | Play in Popup | Download (1265)Bill and Bob catch up on listener feedback, then delve into more details about digital certificates. Certificates and private keys may become compromised before they expire. CRL and OCSP are two methods that applications and systems can verify the status of digital certificates. Microsoft Vista, for the first time, now performs certificate revocation status checking by default. This is a good thing and we hope other systems and applications follow their lead.
Do you use CRLs, OCSP, or something else in your PKI? How did you decide which protocol to support, if any? We’d love to know. Have you encountered any OCSP-related errors in Vista? We have, and we’ll talk about them in upcoming episodes.
If you’d like to join the conversation, send your feedback to comments@SecurityHype.com. Thank you for listening!
Entries (RSS)
November 12th, 2007 at 10:15 am
I’ve been looking into setting up an OCSP responder for SSL certificates since from what I’ve heard many systems don’t check CRLs by default, but will check via OCSP. At least some browsers don’t check CRLs, and where they do at least some ask for the user to import a CRL list manually; whereas OCSP setup is a couple of clicks to activate it. So from the user standpoint, OCSP is much easier to set up and use. From the admin point of view OCSP is more difficult because it requires making special SSL keys for the OCSP responder, and finding documentation on how to do that isn’t straightforward.
– Chris