Gervase Markham <[EMAIL PROTECTED]> writes: >However, if it's only the web server asking for responses rather than every >single client of the web server, the OCSP responder can be handing out 5- >minute or 2-minute expiry responses rather than the 1 hour or 1 day responses >it would need to hand out if it were being flattened by a ridiculous number >of clients. So the attacker hasn't got much to tout around after the cert >gets revoked - they only get an extra 5 minutes of use.
Only if clocks are perfectly synchronised (see my previous post). If the client's clock is slow, I can prolong the life of a cert effectively indefinitely. In addition, this assumes that CAs put sensible (or at least consistent) values in the time fields in an OCSP response. In practice, everyone seems to put in something different: The current time, the time the response was generated, the time of CRL issue, the wife's birthday, ... Peter. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
