Gervase Markham <[EMAIL PROTECTED]> writes: >True - but you are therefore restricted to attacking clients with bad >clocks. I'm quite happy to admit that many computer clocks may be out by >up to (say) 20 minutes, but the widespread use of things like email >which timestamp stuff with the clock time means that I suspect there are >pretty few machines out there whose clocks are off by days or months.
Again, refer to my original post, which reports actual findings. >> In addition, this assumes that CAs put sensible (or at least consistent) >> values in the time fields in an OCSP response. In practice, everyone seems >> to >> put in something different: The current time, the time the response was >> generated, the time of CRL issue, the wife's birthday, ... >Then that's an implementation issue which needs to be fixed. Right, and that's a relatively small matter of programming, all you need to do is get all the CAs and PKI vendors to agree on how to do it, and then change all their applications and certs to conform. QED. Peter. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
