On 11 May 2005 14:32:53 GMT, Peter Gutmann <[EMAIL PROTECTED]> wrote: > Ian G <[EMAIL PROTECTED]> writes: > > >On Wednesday 11 May 2005 15:02, Ram A Moskovitz wrote: > > >> Why can't revocation be used to prevent further distribution of > >> dangeriously flawed software as well as malicious software? How about > >> disabling the use of the software? > > >Revocation has never been used under fire. Many > >would expect it to fold up and collapse under the > >slightest attack, it's simply too complex, too much > >of a paper solution to risk real value on, IMHO. > > It's already happened, Verisign were pretty much wiped out last year when one > of their certs expired, resulting in a massive DDoS on crl.verisign.com.
Are you sure that's what happened? > Now > imagine what would happen if revocation checking were properly done in all > clients, where you'd get a DDoS that makes last year's one look trivial and > that continues 24/7. I diagree. I think OCSP scales well enough that with reasonable client implemetaions it can be used for things like SSL server certificate validation and software publisher validation. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
