Jean-Marc Desperrier wrote: > After the discussion on signed extension and the best way to check for > their revocation information, I've been thinking that maybe the best > would be to do away with both CRL or OCSP and just use the same > mechanism as for the updates (that would be conceptually equivalent to > OCSP).
We've been playing with the OpenCA OCSP responder and well, so far so good. We generate the CRL and publish it to the main website immediately after we receive a request to revoke. The way we have been playing with the OpenCA daemon is to have it pull a copy of the CRL from the main website, at present every 10 minutes, but this is configurable. Using this plus DNS round robin and a bunch of OCSP responders I don't see how this would be less scalable then DNS, and DNS has proven (and keeps proving) to scale. For guys playing the numbers earlier in the week, we published the main certificate for the CAcert website (and any other certificates since) with an OCSP URI, and in about 15 hours we've had 101 OCSP requests, by 27 clients, which totals 256kbytes. I'll post more on this as our testing goes on if anyone is interested in some real world figures. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
