[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Rob Stradling
rob.stradling at comodo.com
Tue Sep 13 08:33:24 PDT 2011
On Tuesday 13 Sep 2011 16:23:45 Daniel Kahn Gillmor wrote:
> On 09/13/2011 10:58 AM, Rob Stradling wrote:
> > OCSP Stapling solves OCSP's Privacy problem (and some of its Reliability,
> > Performance and Availability problems too!), doesn't it?
>
> Isn't OCSP stapling is logically equivalent to the much simpler approach
> of short-lived, frequently-updated, OCSP-less certificates?
A Client that consumes short-lived certs would need to have an accurate clock.
OCSP-with-nonces and RTCS-with-nonces don't require the Client to have an
accurate clock, or even to have a clock at all.
There seems to be a requirement for the "something else" solution to not
require the Client to have an accurate clock.
> i wonder if any Certificate Authority offers such a service (with
> automated update, presumably).
>
> --dkg
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Observatory
mailing list