Hi Eddy, Good to hear from you.
My point is mostly that RP who are counting on TLS to provide a level of assurance that they are talking to a IdP need to perform CRL or OCSP checking. Certificates without that should not be used by IdP. There are browser issues no doubt. I am mostly concerned that RP are trusting a security mechanism that they have not configured properly and may get an unpleasant surprise at some point. RP libraries need to take this seriously. I have known the Comodo guys for a long time as well. I use your Start SSL service for a reason. However as you say if people don't manage the certificates in their root store they are more likely to see this sort of thing. No CA is imune, sometimes customers shoot themselves in the foot, generating week keys etc. We have to be able to deal with revoked certificates or we should not be using TLS security for a key part of openID trust. Regards John B. On 2011-03-30, at 4:46 PM, Eddy Nigg (StartCom Ltd.) wrote: > > On 03/30/2011 09:59 PM, From John Bradley: >> >> The problem is how do you not trust them without breaking significant parts >> of the internet. >> >> They have us over a barrel. > > Well, well....both of you know that this is a particular issue of a > particular "Certification Authority" and that there are alternatives. And > incidentally I happen to know both you ;-) > > I assume that there will be actions by the most important browser vendors, I > suggest to check your certificate stores and CA bundles at the servers and to > rip those CAs you prefer not to trust. > > > Regards > > Signer: Eddy Nigg, COO/CTO > StartCom Ltd. > XMPP: [email protected] > Blog: Join the Revolution! > Twitter: Follow Me > > _______________________________________________ > security mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-security
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
