"RL 'Bob' Morgan" <rlmorgan@washington.edu> writes: > On 12 Jun 2002, Eric Rescorla wrote: > > > Yes, because it's an edge case. > > So: "scalability is an edge case". I will restrain myself from > commenting further on this point. Good, because that's not what I said. I expect peers to send full cert chains to a small number of common roots. There's no reason this can't be made to scale, and since it's the only thing that works at all now, there's every reason to expect that it's what we'll continue to be using in the future. > > We barely have any PKI at all, I think it's a little early to start > > worrying about cross-certification. > > I'm sure you're aware that many folks, including Your Federal Government, > are designing and building systems that rely on cross-certification even > as we type. You may think these are doomed to failure (I have my doubts > myself) but you can't deny that they have requirements to meet. As you say, I think that those systems are doomed to failure. Even if I didn't it's not at all clear to me that the number of cross-linking certificates is going to be anywhere near large enough to require them to be fetched via DNS. -Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/