|
MOUNTAIN VIEW, CA. January 9, 2004 – VeriSign, Inc. (Nasdaq:VRSN), the leading provider of critical infrastructure services for the Internet and telecommunications networks, today issued the following statement regarding an increase in requests to download a Certificate Revocation List (CRL) from crl.verisign.com and possible response delays.
SITUATION UPDATE AS OF JANUARY 9, 3:00 PM PST
At midnight GMT (4pm PST) on January 7, 2004, VeriSign experienced a sudden and dramatic increase in the number of requests by Windows-based clients to download a CRL from crl.verisign.com. The CRL is a file that confirms the validity status of a set of certificates, and is used by applications and users to determine whether a particular certificate has been revoked.
VeriSign normally handles 500-1000 connection requests per second at crl.verisign.com, representing 200 - 400 Mbps of traffic. On January 7, 2004, traffic levels increased to 50,000 – 100,000 connection requests/s, representing over 1.5Gbps of traffic. As a result, certain users attempting to retrieve CRLs experienced intermittent delays. VeriSign immediately took steps to increase capacity and determine the root cause. Within 24 hours, VeriSign had increased its capacity on crl.verisign.com ten-fold to handle this increased request load.
VeriSign regrets any delays, and is actively working with customers and partners that may have experienced response delays as a result of the increased demand.
SITUATION EXPLANATION:
Applications that rely on Public Key Infrastructure (PKI) certificates as part of their security design generally implement some mechanism for ensuring that those certificates are still valid. One common mechanism is obtaining a list of revoked certificates (called a CRL) from the certificate authority (CA) that issued those certificates. Applications generally obtain updated versions of CRLs on a periodic basis. VeriSign maintains a site, crl.verisign.com that provides for the automatic retrieval of these CRLs.
VeriSign understands that MS CAPI-based applications running on XP and pre-XP Windows operating systems that had downloaded certain security patches from third party providers contained a particular CRL (Class3SoftwarePublishers.crl) that expired on January 7, 2004. With this expiration, users of these third party provider patches sought updates from crl.verisign.com. This sudden spike resulted in intermittent delays for users attempting to retrieve this particular CRL, as well as all other users attempting to retrieve CRLs from the site.
POSSIBLE APPLICATION BEHAVIOR:
Most applications that rely on CRLs will behave in one of two ways if they cannot contact the appropriate CRL repository, in this case crl.verisign.com. Some will continue to operate, relying on the information contained in a previously downloaded, yet still valid, CRL. These applications were unaffected by the service degradation. Those applications that could not utilize a locally cached CRL, and thus required access to the CRL repository at crl.verisign.com, would have eventually timed out and informed the user that up-to-date revocation information could not be determined. VeriSign understands that most of the behavior seen was from applications that fell into that second usage scenario.
Again, VeriSign regrets any inconvenience that may have resulted from this period of increased demand. In addition to increasing capacity, VeriSign has made certain modifications to the CRL distribution logic to more effectively handle subsequent wide-scale CRL downloads and continues to work with those that may have experienced response delays as a result of the increased demand. We also continue to work with industry leaders, partners, and the technical community to encourage promulgation the use of alternative validity determination mechanisms, such as the online certificate status protocol (OCSP), which may be less susceptible to these kinds of periodic events.
Please note that this situation is unrelated to the Intermediate CA expiration issue discussed at http://www.verisign.com/support/vendors/exp-gsid-ssl.html
VeriSign will post additional updates to its site as warranted.
About VeriSign
VeriSign, Inc. (Nasdaq: VRSN), delivers critical infrastructure services that make the Internet and telecommunications networks more intelligent, reliable and secure. Every day VeriSign helps thousands of businesses and millions of consumers connect, communicate, and transact with confidence. Additional news and information about the company is available at http://www.verisign.com.
For more information, contact:
VeriSign Media Relations: Brendan P. Lewis, brlewis@verisign.com, 650-426-4470
VeriSign Investor Relations: Kathleen Bare, kbare@verisign.com, 650-426-3241
|
