1

Which one is easier to use?

I wonder if there is an easy yet durable solution for getting my users (android phones) be able to verify if other user's certificate is not revoked. After reading on the net, I am still confused if it is better to implement CRL, OCSP or other methods.

• The app might have around 10 000 users. • The Certificates used in the app are signed by us. We have a rather simple Certificate Authority ourselves which the app trusts. I prefer not to go for temporary solutions where backward compatibility could be expensive later on when we implement a better solution.

cyberPrivacy
  • 907
  • 10
  • 19

1 Answers1

1

In any device, CRL should be easier to implement and gives less trouble. Why? Because, OCSP response have to signed by a Hardware/Software token. So when at a time 5000 users request for ocsp validation the hardware/software token needs to handle that through multi threading. And of course there will be a limit to handle numbers of request/response. On the other hand, CRL can be already signed and store in database/file and give it back to user. So, in that case, even 50000 users request for CRL at a time. I tested for 1000 requests for CRL which works flawlessly and only 300 OCSP requests could be handled at a same time.

But, there is one thing. In most cases, users want to get the current certificate status. In this case, OCSP is more efficient and preferable to most people. Also, CRL needs a worker to update periodically.

miken32
  • 42,008
  • 16
  • 111
  • 154
Saqib Rezwan
  • 1,382
  • 14
  • 20