A CDP would only be useful for downloading a CRL. While that does, sadly, appear to be the state of the art, it is utterly impractical. Imagine the load on the internet if everyone who saw a Verisign certificate downloaded the CRL via an HTTP connection. Some of the CRLs are hundreds of kilobytes.

So, while a CDP would allow the diligent certificate user to verify the authenticity of a given certificate, Verisign's servers wouldn't last very long if they were constantly hammered by CRL requests. It's interesting that an industry leader has such shoddy practices in this area. Still, the standards around X.509 revocation and the products and practices that are available are not ready for mass adoption by the Internet at large.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/178/5141#5141