> The fact that OCSP scales fine for revocation checking > doesn't mean that > you have a system that scales fine for the *TOTAL PROCESS*.
Stop blustering, you clearly did not know the difference between
a CRL and OCSP and certainly have no real world experience of
operating PKI on which to base your broad assertions.
> Also, there's the added issue that the DNS cuts down on
> traffic by way of
> caching.
The ATLAS cluster that runs the core DNS (.com, .net, .org) is
supporting six billion queries a day. The caching in the secondary
servers goes some way to reduce load but not as much as many think.
> Unfortunately, that's the LAST thing you want a CRL
> to be doing
> (in particular, negative caching is an extreme no-no).
No it is not. If you knew what a CRL is you would know that
they are issued on a periodic basis and that caching is
therefore exactly what Windows or any other sensible O/S
does with a CRL.
You appear to be confusing CRLs with OCSP. Try reading the OCSP
spec, I wrote the original section on caching responses.
Phill
smime.p7s
Description: application/pkcs7-signature
