[SSL Observatory] Fixing Revocation, security policy

[Peter Gutmann]

Phillip Hallam-Baker <hallam at gmail.com> writes:

>2) Technical defects in OCSP: the cert is referenced by the serial number,
>not the hash of the cert.

This won't help.  Remember how I said earlier that OCSP is multiple-redundant
broken by design?  If you change the ID from the serial number to a hash then
that fact that it's blacklist-based will allow attackers to evade the
blacklist just as easily as with the serial-number as ID.

Peter.