Tim:
So, when does the Internet reach one billion users? How much bandwidth/responders would be needed? Then, of course, how many responder certificates per CA: 1 ... infinity?
Michael
>>> Tim Moses <tim.moses@entrust.com> 12/07/97 04:01PM >>>
Phill - Thank you for your response. But, the central question remains
unanswered: how can OCSP serve a community with a size of (let's use
your number) one billion users? According to the model that I
presented, it is not possible. So, where is my error? Is one of my
assumptions wrong? In which case, which one? Can you provide
quantitative answers, under appropriate assumptions, to the following
questions:
1. Approximately how many OCSP responders are required to serve a
community of one billion relying parties and subscribers?
2. How do the relying parties come to trust the verification keys of the
OCSP responders?
3. How do the OCSP responders obtain revocation information from the
single CA?
4. How current will the revocation information be when it is presented
to the relying parties?
Best regards. Tim.
>
>----------
>From: Phillip M Hallam-Baker[SMTP:pbaker@verisign.com]
>Sent: December 5, 1997 11:28 AM
>To: IETF-PKIX@LISTS.TANDEM.COM
>Subject: Re: [IETF-PKIX] OCSP v CRLs over HTTP
>
>Re Tim Moses <tim.moses@ENTRUST.COM> comments concerning the alledged 'non
>scalability of OCSP'.
>
>I have been reviewing Tim's comments concerning the 'scalability of OCSP'.
>First I note that Tim does not address scalability but the relative
>performance of OCSP and the Entrust approach under his chosen set of
>assumptions.
>
>Scalability is about whether an architecture limits the size of the problem
>that can be handled. e.g. resource requirements scale O(n^2)or worse or it
>assumes a big enough mainframe can be purchased.
>
>OCSP supports a function call end clients make routinely: 'Is this
>certificate valid'. It allows the function 'check every certificate in my
>address book' to be supported cleanly. Unless you want to either handle CRLs
>in the client or route all traffic through a central bottleneck OCSP is the
>obvious approach.
>
>To gain perspective on scaling issues I believe we should look at a billion
>certificates or more rather than Tim's million. At least two applications
>will involve this number of certificates:
>
> * Credit card processing
> * Certificate based equities
>
>Both these scenarios are much smaller than systems I have previously helped
>design, ZEUS and the Web. Simulation is the only way to prove viability of
>such systems. I see OCSP as a usefull tool in meeting such challenges which
>require a 'full toolbox'.
>
> Phill
>
>
>
>
>
>
>
!
!
!