Paul Hoffman wrote:
[...]
That feels insufficient to me. I also disagree that there are
"practical problems of revoking a very large number of certificates".
The worst problem is that the CRL will grow; that's no big deal, it
is supposed to grow.
You *obviously* never had to handle this CRL :
http://onsitecrl.certplus.com/DIRECTIONGENERALEDESIMPOTSDIRECTIONGENERALEDESIMPOTSUSAGER/LatestCRL
Java programs just can't take it up. And J2EE is by far the most popular
application server architecture nowadays. 64 bits J2EE with an
enterprise level stability is not a reality today.
And just count how many 3% of the certs Verisign issued under it's main
CA makes.
PS : Yes, it's outdated, they did a "reset" of the CA architecture,
generated new roots, and I think the new one is not yet as big. But
there's no reason why it won't be some day.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
