The fact that OCSP scales fine for revocation checking
doesn't mean that
you have a system that scales fine for the *TOTAL PROCESS*.
Stop blustering, you clearly did not know the difference between
a CRL and OCSP and certainly have no real world experience of
operating PKI on which to base your broad assertions.
Also, there's the added issue that the DNS cuts down on
traffic by way of
caching.
The ATLAS cluster that runs the core DNS (.com, .net, .org) is
supporting six billion queries a day. The caching in the secondary
servers goes some way to reduce load but not as much as many think.
Unfortunately, that's the LAST thing you want a CRL
to be doing
(in particular, negative caching is an extreme no-no).
No it is not. If you knew what a CRL is you would know that
they are issued on a periodic basis and that caching is
therefore exactly what Windows or any other sensible O/S
does with a CRL.
You appear to be confusing CRLs with OCSP. Try reading the OCSP
spec, I wrote the original section on caching responses.
Phill
smime.p7s
Description: S/MIME cryptographic signature