http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
The browser venders blocking those certificates is nice, however there are attacks on RP that could be done with those certificates that are still open. In testing something like 0% of RP check OCSP or CRL, the libs don't force openSSL to so those checks (I think DNOA will do them in FICAM mode) So perhaps encouraging people to perform those checks would be a good idea. We can only hope that none of the 9 certificates cover openID OP, otherwise user accounts at RP could theoretically be compromised. John B.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
