[SSL Observatory] Fixing Revocation, security policy
Phillip Hallam-Baker
hallam at gmail.com
Thu Sep 22 05:14:50 PDT 2011
On Thu, Sep 22, 2011 at 4:40 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>wrote:
> Phillip Hallam-Baker <hallam at gmail.com> writes:
>
> >2) Technical defects in OCSP: the cert is referenced by the serial number,
> >not the hash of the cert.
>
> This won't help. Remember how I said earlier that OCSP is
> multiple-redundant
> broken by design? If you change the ID from the serial number to a hash
> then
> that fact that it's blacklist-based will allow attackers to evade the
> blacklist just as easily as with the serial-number as ID.
The issue you were complaining about in that respect was due to Valicert's
insistence on enabling their business model. Valicert only had CRLs to work
on and did not know the database of issued certs.
The CAs I have worked with have always known the set of issued certs. It was
not an issue.
What is the error response that a CA is meant to give when it receives a
status request for a cert it knows was never issued?
If there isn't one we should fix OCSP in PKIX. I believe that was planned in
any case.
--
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110922/06670949/attachment.html>
More information about the Observatory
mailing list