On 5/11/05, Jean-Marc Desperrier <[EMAIL PROTECTED]> wrote: > Ram A Moskovitz wrote: > > VeriSign can scale DNS effectively. > > That's what I referred to when I said you own Network Solutions, by that > I meant the registry part, the registrar is not relevant. If you are > able to handle all the DNS requests and make it a profitable business, > despite the fact I don't see a huge revenue source on that, the > experience helps you for revocation info.
I figured that was probably what you meant. I was making the correction that while Network Solutions is a company that exists and offers services including DNS registrar functions, Network Solutions is not owned by VeriSign. > > VeriSign can scale OCSP > > effectively. The fact that DNS and OCSP can both be cached makes it > > much more cost effective given clients with robust implementations. > > OCSP begins to make more sense than CRL if you can afford an extensive > distributed caching architecture. The operational cost of one relative to the other is sensitive to implementation details and usage models, you cover this in part in your numerical analyses. Extensive distributed caching helps both CRL and OCSP (and DNS and HTTP). I think OCSP is a better solution even if it is sometimes more expensive to operate than CRL service. Ideally in the presence of both options specified in a certificate a user agent would try OCSP and if that were not possible it would try the CRL instead. In either case caching the responses is appropriate; I believe there are RFCs or IDs that describe this behavior. If you would like VeriSign's preference I think Alex described that a while back in this NG, it's also in the now expired I-D referenced - which should come back as -02 shortly. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
