[SSL Observatory] Fixing Revocation, security policy
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Sep 22 01:40:45 PDT 2011
Phillip Hallam-Baker <hallam at gmail.com> writes:
>2) Technical defects in OCSP: the cert is referenced by the serial number,
>not the hash of the cert.
This won't help. Remember how I said earlier that OCSP is multiple-redundant
broken by design? If you change the ID from the serial number to a hash then
that fact that it's blacklist-based will allow attackers to evade the
blacklist just as easily as with the serial-number as ID.
Peter.
More information about the Observatory
mailing list