On 10/21/2011 03:09 PM, From Kai Engert:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/mecai/
Review, thoughts and reports of flaws welcome.
Interesting - but it probably will never work. I don't see CAs
cooperating to this extend, it will probably create a few other issues
on the way.
However I'm still not sure why hard fail for revocation status can't be
enforced. You've got OCSP, CRLs and if browsers implement fail-over and
redundancy correctly, it could work already today I guess. From my
experience it's the browsers which fail to use the full potential.
For CAs that don't provide sufficient alternatives (multiple OCSP URIs,
CRLs), redundant servers etc., subscribers will find better sources for
their certificates.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
