[19863] in bugtraq
Re: Verisign certificates problem
daemon@ATHENA.MIT.EDU (Michael Reilly)
Tue Mar 27 04:16:53 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <NDBBILGMDJCMOAOEPNBEIELEHJAA.michaelr@cisco.com>
Date: Mon, 26 Mar 2001 12:10:41 -0800
Reply-To: Michael Reilly <michaelr@CISCO.COM>
From: Michael Reilly <michaelr@CISCO.COM>
X-To: "Ogle Ron (Rennes)" <OgleR@THMULTI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <05B4910E0216D411B14F00508B6A67A94BCF0F@RENEXCH5.rennes.thmulti.com>
>>I'd have to say though that the CDP field works rather well. I run a
rather
>>large set of CAs. When we were just using the monolithic CRL, each client
>>takes a long time to do verification of certificates. When we switched to
>>the distribution point extension, verification checking time fell
>>considerably.
Depends on which CA server you are using and on how large the CRL is. We
have processed CRLs larger than 8kb in under a second but it took that CA
over 60 seconds to respond to the request to send the CRL. Other vendors CA
servers respond much faster. With a small CA and a fast responding server
it could take longer to verify the signature on the CRL than it takes to
actually get the CRL and check the contents.
michael
