Gervase Markham wrote: > In other words, a nonce is a way of having a lifetime of zero for the
> OCSP request. > > IMO, given other latencies which would be present in a system for > revoking the cert of a phishing site, a near-equivalent level of > security with much greater scalability could be achieved by having > nonce-less operation, 1-minute timeouts, and using the TLS extensions > which (I am told) allow the webserver to deliver the OCSP response > rather than the OCSP responder itself. Then, the OCSP server has to > service one request every 30 seconds per webserver, rather than one > request per client connection. so, sort of per the earlier postings http://www.garlic.com/~lynn/2005i.html#0 More Phishing scams, still no SSL being used you could use a realtime, certificateless, onfile public key retrieval from trusted DNS infrastructure ... for using in establishing encrypted SSL session (instead of obtaining server public key from a certificate). now for 20 some years, DNS has had generalized mechanism for multi-level caching of information with per entry cache expiration interval (including at the lowest end-user end-point). i think it was 1991 acm sigmod conference in san jose ... somebody raised a question about what was this x.5xx stuff going on .... and somebody else explained that it was a bunch of networking engineers attempting to reinvent 1960s database technology. so the primary target for SSL has been client access for e-commerce. There have been studies that show the e-commerce activity is highly skewed ... with possibly only 200 sites accounting for upwards of 90 percent of activity. If you were looking specifically at public key serving within a DNS real-time retrieval paradigm .... with standard caching and cache entry expiration intervals to address performance issues that might hypothetically crop up ... you are looking at relatively small number of public keys that have to be cache to cover the majority of actual world-wide SSL activity. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
