2)Wow, that's sheer load...How will it scale with more and more people on the net? However for certifcate how many time your browser check for a root certificate? Never... MS has built-in inside the windows update a system to donload new root certificates but that's all. You get it one time, you trust and forget about it till expiration time... as toor servers and ccTLD and gTLD are likely to be srious people then you don't need either to make any query to get the certificates. You just get them one time...
Cheers.
On Sat, 2002-06-08 at 02:27, Valdis.Kletnieks@vt.edu wrote:
On Sat, 08 Jun 2002 13:22:28 -0000, Franck Martin said: > I was wondering if the best system to build a global PKI wouldn't be the > DNS system already in place? No. 1) There's *NOT* a good mapping between the DNS and LDAP (hint - DN=, O=, and OU+ can be at the same level...) 2) DNS has to be *FAST*, especially at the root - we're talking on the order of 200K queries a *SECOND*. You figure out how to do that while also tossing certificates around, let us know... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech