Juergen Schmidt schrieb: > - As far as I know not all CAs support OCSP and a lot of older > certificates provide no OCSP-URI. They will stay attackable without > blacklist. But I have no statistics about that yet.
A quick check shows that from 225 weak certificates we collected in the wild only 43 had an OCSP URI. This is less than 20%. Note: we counted only explicit "OCSP - URI" declarations in the extended section. If there are other ways of declaring a valid OCSP responder, we did not count them. For example some certificates have a "Netscape Revocation Url". I don't know what this means. bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail [EMAIL PROTECTED] GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
