ietf-mailsig
[Top] [All Lists]

Re: In response to Housley-mass-sec-review

2005-03-08 08:04:28


On Mar 5, 2005, at 8:10 AM, Andrew Newton wrote:



On Mar 4, 2005, at 9:21 AM, Mark Baugher wrote:

Revocation schemes that scale up to the numbers we are discussing typically don't attempt to mirror the DNS nor require large server farms

Let's say Yahoo has 40 million email accounts (that's probably pretty high) and has to revoke 10%.

I was discussing the making and revoking of reputation assertions. At least that's what I wanted to discuss. I think you're talking about revoking account keys.

Reputation is on the order of consumer electronics numbers, e.g. broadcast key management systems on the scale of digital versatile disc players or even individual discs.

Mark

That's 4 million A records. I know of several small organizations that support twice that much DNS info just using stock BIND. Plus this assumes that all 10% are revoked with in the same active key period. Once the signing key has been removed from DNS, there is no need for the corresponding A records as well.

-andy



<Prev in Thread] Current Thread [Next in Thread>