[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why is dcs-00's scalability deprecated?

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: Why is dcs-00's scalability deprecated?
From: "Linn, John" <jlinn@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 2 Dec 1998 12:22:24 -0500
Sender: owner-ietf-pkix@xxxxxxx

In reviewing the dcs-00 draft, I believe that this represents a valuable and
versatile service. There's a paragraph in its introduction which I'm
wondering about:

"It is not recommended that the DCS be used as a substitute for normal
public key certificate revocation checking (e.g., CRLs, OCSP) in large
environments, due to concerns about the scalability of this protocol.  It
should only be used to support non-repudiation or to supplement more
traditional revocation services when more timely information is required." 

Why is the scalability of DCS, if applied for certificate validation
purposes using unsigned cpkc requests, sufficiently different from OCSP's as
to motivate this deprecation?  Is the driving issue that DCSReqInfo's
mandated nonces (vs. requester ID and reqTime, which are optional) prevent
response preproduction, the potential that chain validations could prove
costly to aggregate at a common responder, and/or what other concerns are
being considered here?

Any clarifications and thoughts appreciated.

--jl

Prev by Date: RE: Time stamp request
Next by Date: RE: generation of private keys
Previous by thread: Qualified Certificates and the 43:d IETF Meeting
Next by thread: RE: Why is dcs-00's scalability deprecated?
Index(es):
- Date
- Thread