Actually it has.
The infrastructure that supports the DNS handles 15 billion transactions
every day and is designed to cope with a peak load that is considerably
higher. The database file is several gigabytes.
The OCSP infrastructure being deployed already injects over half a million
OCSP status values into ATLAS.
There is absolutely no reason to believe that the load cannot be supported
on the basis of existing operational experience.
I should also point out in fairness to our competitors that there have also
been several important trials for projects such as Identrus and a recent US
government trial which have involved much larger scale trials.
Nor is it even necessary to centralize administration at a single service
location. The problem has a trivial parallel decomposition which is
considerably simpler than the problem of SS7 or DNS routing.
What is either disingenuous or ignorant is to discuss the problem of CRL
handling without mentioning OCSP which is a technology that has been
operational since 1998 or so. The first version of Authenticode included an
OCSP component (albeit one based on a now obsolete standard).
-----Original Message-----
From: Mark Baugher [mailto:mbaugher(_at_)cisco(_dot_)com]
Sent: Friday, February 25, 2005 6:02 PM
To: Hallam-Baker, Phillip
Cc: 'Douglas Otis'; Dave Crocker; MASS WG
Subject: Re: In response to Housley-mass-sec-review
I think it's disingenuous to claim that MASS PKI problems have been
solved when nothing on this scale has ever been deployed.
Mark
On Feb 25, 2005, at 1:07 PM, Hallam-Baker, Phillip wrote:
Perhaps you should take the time to study the developments in PKI
since 1995
before publishing the draft.
In particular you should look at OCSP which entirely eliminates the
issues
you raise wrt CRL size and has been deployed at very large
scale. You
should
also look at XKMS which has similar operational
requirements to OCSP
but
provides support for the complete key lifecycle and eliminates the
need for
certificates.
Clearly a key centric PKI that is built on the legacy DNS system is
not going to be as satisfactory as a PKI as a purpose built Web
Service such as XKMS. There is however no reason why we
cannot use DNS
for the cases it can
support and migrate to XKMS for more comprehensive support.
Given that certificate revocation technology is built into Windows
since Win
2000 the CA industry is well aware of the operational difficulties
raised by
CRLs.
-----Original Message-----
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of
Douglas Otis
Sent: Friday, February 25, 2005 3:30 PM
To: Dave Crocker
Cc: MASS WG
Subject: Re: In response to Housley-mass-sec-review
Here is a first pass at putting together a document. Any
feedback is
welcome.
As this was completed beyond the IETF draft cutoff date,
these links
reference the draft.
http://www.kelkea.com/ietf/draft-otis-mass-reputation-00.html
http://www.kelkea.com/ietf/draft-otis-mass-reputation-00.txt
-Doug