On Mon, 02 Dec 2002 14:33:16 PST, "Hallam-Baker, Phillip" said: > OCSP scales fine for revocation checking. We can use the same > platform that currently serves 6 billion DNS queries a day. The fact that OCSP scales fine for revocation checking doesn't mean that you have a system that scales fine for the *TOTAL PROCESS*. Remember - the tough part isn't checking the list - the tough part is getting entries *INTO* the list in a secure manner. Go back and re-read the issue at http://www.cert.org/advisories/CA-2001-04.html and ask yourself if a CRL would have been handled any differently. Remember - it was a *process* failure, not a software failure. The DNS may answer 6 billion DNS queries a day. But I can name some DNS registrars that would take *MONTHS* to correctly transfer a domain. (The continuing refrain for *years* on NANOG: "Has *anybody* ever gotten PGP auth to work with these bozos?") Also, there's the added issue that the DNS cuts down on traffic by way of caching. Unfortunately, that's the LAST thing you want a CRL to be doing (in particular, negative caching is an extreme no-no). You can tell the ISP's DNS server to cache the SOA and NS entries for amazon.com. You can't tell the ISP's OCSP server to cache the fact that there aren't any CRLs for the SSL cert that www.amazon.com uses. /Valdis
Attachment:
pgp00158.pgp
Description: PGP signature