On 5/11/05, Jean-Marc Desperrier <[EMAIL PROTECTED]> wrote: > Peter Gutmann wrote:
> > Then consider the economic perspective. Maintaining the infrastructure to > > support that sort of massive demand will cost a considerable amount of > > money. > > Consider the economic perspective of domain name and operating the DNS > system. Suddenly it looks not random at all that Verisign owns Networks > Solutions. There seems to be some confusion about this still so while it's OT I'll post it anyway. VeriSign bought Network Solutions which at the time as a registry and a registrar. VeriSign folded the registry into it's core business and sold off the registrar. The registry is part of VeriSign and the services are branded VeriSign Global Registry Services. The registrar part is still called Network Solutions and I believe it is owned privately today. As the use of the internet grew it was decided that there should be competitors in the domain name service space for the non country TLDs (the country code TLDs are by default governed by the countires whose ISO country code they represent, so dot-us is governed by or for the US unless they choose to sell it off to someone else). The retailers are called registrars - they are the ones that deal with people and companies that want to register domain names. There was a need for a mechanism to ensure that two registrars did not sell the same domain name to two differnet people. The VeriSign DNS registry plays a few roles such as: -track current DNS information for domain names -respond to DNS queries based on the current data -provide machine to machine interfaces to enable registrars to publish data updates > > There's simply no way to do revocation checking in any kind of effective > > manner, you can either make it effective but expensive so no-one will use > > it, > > or cheap but ineffective so it just becomes a ritual to ward off evil > > spirits. > > I rather agree about that problem description, I just don't understand > why Ram declares that OCSP solves it. I tend to believe it can help in > some situations, but make it worse in other, in fact make it worse for > most cases if the client doesn't store the OCSP response and requests > again everytime it accesses the object. I agree with your conclusion and will add that a bad client implementations is a form of DoS; imagine if web browsers did not cache pages nor images, did not use HEAD checks. It would not be the end of the web but it would much more expensive for everyone, Bandwidth needs would be way higher and I expect that infrastructure cost would be a burden on my usage experience (I have 3mb/s downlink at home, that might feel more like 500kb/s) and the cost to websites would go up as well. VeriSign can scale DNS effectively. VeriSign can scale OCSP effectively. The fact that DNS and OCSP can both be cached makes it much more cost effective given clients with robust implementations. No online service is immune to an aggressive enough network DoS attack, on the other hand DoS against a well deployed OCSP system is unlikely to be the most cost effective way to phish. Time will tell. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
