Re: Verisign CRL single point of failure

2004-04-01 Thread Dirk-Willem van Gulik
On Jan 9, 2004, at 8:06 PM, Rich Salz wrote: dave kleiman wrote: Because the client has a Certificate Revocation Checking function turned on in a particular app (i.e. IE or NAV). I don't think you understood my question. Why is crl.verisign.com getting overloaded *now.* What does the

RE: Verisign CRL single point of failure

2004-03-31 Thread dave kleiman
I don't think you understood my question. Why is crl.verisign.com getting overloaded *now.* What does the expiration of one of their CA certificates have to do with it? Once you see that a cert has expired, there's no need whatsoever to go look at the CRL. The point of a CRL is to revoke

Re: Verisign CRL single point of failure

2004-03-31 Thread Rich Salz
dave kleiman wrote: Because the client has a Certificate Revocation Checking function turned on in a particular app (i.e. IE or NAV). I don't think you understood my question. Why is crl.verisign.com getting overloaded *now.* What does the expiration of one of their CA certificates have to do

Re: Verisign CRL single point of failure

2004-03-31 Thread Peter Gutmann
Rich Salz [EMAIL PROTECTED] writes: Can someone explain to me why the expiring of a certificate causes new massive CRL queries? Here's the reply straight from Verisign: -- Snip -- We wanted to pass on a notification that we have determined what we feel is the root cause of the CRL outage

Re: Verisign CRL single point of failure

2004-03-31 Thread Rich Salz
I'm not sure what the no longer dynamically changing means, I assume they've made it even worse by giving it a much larger expiry period, so your online check gives you the status from last year instead of last week. It means that they learned the lesson when the erroneously issued

Re: Verisign CRL single point of failure

2004-03-31 Thread t . c . jones
Verisign incorrectly built the new certificate causing every SSL access on IE 5.x to request a new CRL (700k) on every single SSL access. This has been fixed, a new udated cert is available and the CRL storm is abating. See the versign site for more details on what they did to fix the