May 24, 2008
I just thought about the scaling problem of the SSL revoke lists, I wrote in my last blog post. The first two solutions that came into mind where peer-to-peer or DNS based ones. Peer-to-peer would be not that good for enterprise users so I took a short look at DNS based revoke list. I just entered it into google and got RFC 2538 back as answer. Thats a full solution for storing certificates in the DNS (and yes also a revoke list). Maybe we could use the revoke list part of this RFC for the SSL revoke lists. This solution would scale without problems and with DNSSEC it would get even more secure.
So why is that not implemented? Just one browser vendor and one CA need to go forward and the rest will follow. They could do that instead of the “green” https stuff which is only there to generate more money. What are your thoughts about this?