This week I was continuing working on the trust managers, and I added support for Certificate Revocation List. Certificate extension with OID 22.214.171.124 contain link to the server with CRL file. Spark Trust Manager before SSL connection downloads all CRL list from web, create additional CertStore, save this CRLs to that store and through PKIX parameters use it for checking certificates revocation.
What’s wrong with that method? Sometimes CRL lists can grow really huge, easy over 1000 entries so sometimes it can be over few MB of data. That can be sometimes overkill for some networks (someone still use dial up? ) and just parsing through it can takes some time. Anyway there is other way of checking if certificate is revoked which is Online Certificate Status Protocol. It allow to just send to server request for status of just one certificate so this save bandwidth and time. The only problem with that is it is less common extension for certificates, so if one doesn’t have it Trust Manager still have to support CRLs.
The fun thing I noticed is that often people asking for help on the Ignite Realtime forum and open chat have problem with establishing connection with Smack and they are happy when it starts work for them. In meantime I was few times happy when I couldn’t establish connection, because that means that SSL is working as there were no adequate certificate in TrustStore or it was invalid.
See you next week,