On Mar 5, 2005, at 8:10 AM, Andrew Newton wrote:
On Mar 4, 2005, at 9:21 AM, Mark Baugher wrote:
Revocation schemes that scale up to the numbers we are discussing
typically don't attempt to mirror the DNS nor require large server
farms
Let's say Yahoo has 40 million email accounts (that's probably pretty
high) and has to revoke 10%.
I was discussing the making and revoking of reputation assertions. At
least that's what I wanted to discuss. I think you're talking about
revoking account keys.
Reputation is on the order of consumer electronics numbers, e.g.
broadcast key management systems on the scale of digital versatile disc
players or even individual discs.
Mark
That's 4 million A records. I know of several small organizations
that support twice that much DNS info just using stock BIND. Plus
this assumes that all 10% are revoked with in the same active key
period. Once the signing key has been removed from DNS, there is no
need for the corresponding A records as well.
-andy