[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Why is dcs-00's scalability deprecated?
John;
We were considering both of the issues you mentioned as reasons for being
concerned about the scalability of DCS. Primarily though, it was the fact
that each response must be individually constructed, thus preventing
response preproduction and caching, that made us feel that this protocol is
not appropriate for normal cert revocation checking.
I would note that if responses were not preproduced by an OCSP responder,
then the two protocols would be approximately equivalent with respect to
scalability.
Robert.
> ----------
> From: Linn, John[SMTP:jlinn@securitydynamics.com]
> Sent: Wednesday, December 02, 1998 12:22 PM
> To: 'ietf-pkix@imc.org'
> Subject: Why is dcs-00's scalability deprecated?
>
> In reviewing the dcs-00 draft, I believe that this represents a valuable
> and
> versatile service. There's a paragraph in its introduction which I'm
> wondering about:
>
> "It is not recommended that the DCS be used as a substitute for normal
> public key certificate revocation checking (e.g., CRLs, OCSP) in large
> environments, due to concerns about the scalability of this protocol. It
> should only be used to support non-repudiation or to supplement more
> traditional revocation services when more timely information is required."
>
>
> Why is the scalability of DCS, if applied for certificate validation
> purposes using unsigned cpkc requests, sufficiently different from OCSP's
> as
> to motivate this deprecation? Is the driving issue that DCSReqInfo's
> mandated nonces (vs. requester ID and reqTime, which are optional) prevent
> response preproduction, the potential that chain validations could prove
> costly to aggregate at a common responder, and/or what other concerns are
> being considered here?
>
> Any clarifications and thoughts appreciated.
>
> --jl
>
>