Comments on: Security Hype 7.4-OCSP, CRL, and Vista’s new SSL tricks http://www.securityhype.com/blog/archives/23 Security clarity. One listener at a time. Wed, 07 Jan 2009 14:06:58 +0000 http://wordpress.org/?v=2.3.3 By: Chris Knadle http://www.securityhype.com/blog/archives/23#comment-208 Chris Knadle Mon, 12 Nov 2007 18:15:58 +0000 http://www.securityhype.com/blog/archives/23#comment-208 I've been looking into setting up an OCSP responder for SSL certificates since from what I've heard many systems don't check CRLs by default, but will check via OCSP. At least some browsers don't check CRLs, and where they do at least some ask for the user to import a CRL list manually; whereas OCSP setup is a couple of clicks to activate it. So from the user standpoint, OCSP is much easier to set up and use. From the admin point of view OCSP is more difficult because it requires making special SSL keys for the OCSP responder, and finding documentation on how to do that isn't straightforward. -- Chris I’ve been looking into setting up an OCSP responder for SSL certificates since from what I’ve heard many systems don’t check CRLs by default, but will check via OCSP. At least some browsers don’t check CRLs, and where they do at least some ask for the user to import a CRL list manually; whereas OCSP setup is a couple of clicks to activate it. So from the user standpoint, OCSP is much easier to set up and use. From the admin point of view OCSP is more difficult because it requires making special SSL keys for the OCSP responder, and finding documentation on how to do that isn’t straightforward.

– Chris

]]>