> The fact that OCSP scales fine for revocation checking > doesn't mean that > you have a system that scales fine for the *TOTAL PROCESS*. Stop blustering, you clearly did not know the difference between a CRL and OCSP and certainly have no real world experience of operating PKI on which to base your broad assertions. > Also, there's the added issue that the DNS cuts down on > traffic by way of > caching. The ATLAS cluster that runs the core DNS (.com, .net, .org) is supporting six billion queries a day. The caching in the secondary servers goes some way to reduce load but not as much as many think. > Unfortunately, that's the LAST thing you want a CRL > to be doing > (in particular, negative caching is an extreme no-no). No it is not. If you knew what a CRL is you would know that they are issued on a periodic basis and that caching is therefore exactly what Windows or any other sensible O/S does with a CRL. You appear to be confusing CRLs with OCSP. Try reading the OCSP spec, I wrote the original section on caching responses. Phill
Attachment:
smime.p7s
Description: application/pkcs7-signature