* Devdatta Akhawe:
I was surprised to note that DigiNotar had a log of all IPs who had
requested an OCSP lookup for the bad certs. This seems like a very bad
idea on the OCSP server's part.
Verisign/Symantec keep logs as well, they even issue a yearly press
release about them, usually in
On 9/6/11 11:07 AM, Devdatta Akhawe wrote:
Sure. But I think users would be very surprised to find that every
time they visit a SSL site, some server somewhere is noting down what
site they visited, and when.
Yes, OCSP supposedly traded off a little privacy for immediacy over
CRLs. Except that
On 06/09/2011 11:48, Devdatta Akhawe wrote:
[...] if I visit
https://www.secure.com in private browsing mode; Firefox makes a OCSP
request. After closing private browsing mode and going back to the
normal mode, if I go to https://www.secure.com then Firefox caches the
OCSP responses and doesn't
On 06/09/11 03:48, Devdatta Akhawe wrote:
I was surprised to note that DigiNotar had a log of all IPs who had
requested an OCSP lookup for the bad certs. This seems like a very bad
idea on the OCSP server's part.
Well, the list of IPs has been passed to Google, who are now able to
warn people
Well, the list of IPs has been passed to Google, who are now able to
warn people accessing Google from those IPs that there is a problem. So
there are both good and bad sides to it.
Sure. But I think users would be very surprised to find that every
time they visit a SSL site, some server
Related but not exactly on point:
==
The rogue certificate found by Google was issued by the DigiNotar Public
CA 2025. The serial number of the certificate was, however, not found in
the CA system‟s records. This leads to the conclusion that it is unknown
how many certificates were
Hmm. That hints that the logging wasn't turned on by default, but I
would prefer a confirmation from the CAs and a definitive policy from
Mozilla.
Or considering the momentum on the Do-Not-Track proposal, have a CA
policy that says Do not log if the OCSP request has a DNT:1 ?
thanks
devdatta
