[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Rob Stradling rob.stradling at comodo.com
Tue Sep 13 08:33:24 PDT 2011


On Tuesday 13 Sep 2011 16:23:45 Daniel Kahn Gillmor wrote:
> On 09/13/2011 10:58 AM, Rob Stradling wrote:
> > OCSP Stapling solves OCSP's Privacy problem (and some of its Reliability,
> > Performance and Availability problems too!), doesn't it?
> 
> Isn't OCSP stapling is logically equivalent to the much simpler approach
> of short-lived, frequently-updated, OCSP-less certificates?

A Client that consumes short-lived certs would need to have an accurate clock.

OCSP-with-nonces and RTCS-with-nonces don't require the Client to have an 
accurate clock, or even to have a clock at all.

There seems to be a requirement for the "something else" solution to not 
require the Client to have an accurate clock.

> i wonder if any Certificate Authority offers such a service (with
> automated update, presumably).
> 
> 	--dkg

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Observatory mailing list