[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Martin Rublik
martin.rublik at gmail.com
Mon Sep 5 02:34:06 PDT 2011
On 5. 9. 2011 11:23, Gervase Markham wrote:
> Hi Peter,
>
> On 04/09/11 07:15, Peter Gutmann wrote:
>> Blacklist-based validity checking, the Second Dumbest Idea in Computer
>> Security (Marcus Ranum), doesn't work:
>>
>> Diginotar issued certs for which there was no record of issuance, therefore
>> they couldn't be revoked. Whitelist-based checking would have prevented
>> this.
>
> Surely OCSP is whitelist-based checking? (I can't imagine engineering an
> OCSP server which, when asked about a certificate for which it had no
> record, said "Fine, no problem!")
There are implementations of OCSP responders that use CRL as an input for
determining whether certificate is valid or not. So this is kind of a blacklist...
Kind regards
Martin Rublik
More information about the Observatory
mailing list