[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Sep 5 20:17:28 PDT 2011
Rob Stradling <rob.stradling at comodo.com> writes:
>So if it's "totally broken", why don't you and Kathleen add "OCSP Responders
>MUST NOT report 'good' if the certificate is not known to have been issued"
>to the Mozilla CA Certificate Policy?
Probably wouldn't help that much, see my previous message. OCSP really is
kind of unfixable by design.
(Having now skimmed through a few more messages in this thread, I really am...
rather disturbed at how many people involved with PKI (given that they're on
this list) think OCSP provides a completely different service than it actually
does).
Peter.
More information about the Observatory
mailing list