Ram A Moskovitz <[EMAIL PROTECTED]> writes: >On 11 May 2005 14:32:53 GMT, Peter Gutmann <[EMAIL PROTECTED]> wrote: >> Ian G <[EMAIL PROTECTED]> writes: >> It's already happened, Verisign were pretty much wiped out last year when one >> of their certs expired, resulting in a massive DDoS on crl.verisign.com. >Are you sure that's what happened?
It was pretty widely publicised at the time. >> Now >> imagine what would happen if revocation checking were properly done in all >> clients, where you'd get a DDoS that makes last year's one look trivial and >> that continues 24/7. >I diagree. I think OCSP scales well enough that with reasonable client >implemetaions it can be used for things like SSL server certificate >validation and software publisher validation. OCSP doesn't scale at all, which is why recent "high-performance" OCSP proposals break the protocol's security to allow replay attacks (Verisign for example broke their implementation last year some time in order to get it to, uhh, "scale", other vendors have done the same). The result is that you're not getting a real certificate status any more, just a replay of an old out- of-date status that may or may not be coming from an attacker. Nice warm fuzzies, but little else. Peter. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
