[SSL Observatory] SSL CA compromise in the wild

[Peter Gutmann]

Erwann ABALEA <erwann at abalea.com> writes:

>I'd create a long-lived OCSP responder certificate with the OCSPNoCheck 
>extension. This kind of certificate can't be revoked *at all*, and has the 
>same power as a CRL-signing key (which can be revoked).

Ooh, nice!  That's what I like about OCSP, there are just so many ways you can 
subvert it, and some of them were even designed in by the standards committee.

Peter.