At 1:47 PM -0500 8/8/08, Nicolas Williams wrote: >On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote: >> The kerberos style of having credentials expire very quickly is one >> (somewhat less imperfect) way to deal with such things, but it is far >> from perfect and it could not be done for the ad-hoc certificate >> system https: depends on -- the infrastructure for refreshing all the >> world's certs every eight hours doesn't exist, and if it did imagine >> the chaos if it failed for a major CA one fine morning. > >The PKIX moral equivalent of Kerberos V tickets would be OCSP Responses. > >I understand most current browsers support OCSP.
...and only a tiny number of CAs do so. --Paul Hoffman, Director --VPN Consortium _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
