Ian G wrote:
On Friday 20 May 2005 23:47, Jean-Marc Desperrier wrote:
Gervase Markham wrote:
Er, given that we have no OCSP and no-one's checking CRLs, I think
losing a root cert which is embedded in 99% of browsers out there would
be an _extremely_ big deal.
But OCSP/CRL can not help in
On Wednesday 25 May 2005 19:14, Anne Lynn Wheeler wrote:
Nelson B [EMAIL PROTECTED] writes:
Ah, I was wondering when paradoxes would enter this discussion.
CA self revocation: Everything I say is a lie.
I think not said Descartes, who promptly vanished.
the original scenario was that
Ian G [EMAIL PROTECTED] writes:
Sure, that's obvious. But, Lynn, can you shed any light on why the
standards didn't include a mechanism? You seem to be intimating
that the original PKI concept included it.
i have memory of the exchanges taking place about the protocol process
... i would
Anne Lynn Wheeler wrote:
Nelson B [EMAIL PROTECTED] writes:
Ah, I was wondering when paradoxes would enter this discussion.
CA self revocation: Everything I say is a lie.
I think not said Descartes, who promptly vanished.
the original scenario was that CA could only assert that they were
I thot discussion might have been pkix /or x9f related .. as an
easier step then starting to search my own archives ... i've
done a quicky web search engine ...
one entry in pkix thread
http://www.imc.org/ietf-pkix/old-archive-01/msg01776.html
here is recent m'soft article mentioning the
Anne Lynn Wheeler [EMAIL PROTECTED] writes:
also, i remember OCSP coming on the scene sometime after I had been
going for awhile about how CRLs were 1960s technology (and least in
the payment card business) before payment card moved into the
modern online world with online authentication
On Wednesday 25 May 2005 20:27, Julien Pierre wrote:
By signing a CRL that does not include a particular cert's serial
number, or by signing an OCSP response that says this cert's serial
number is still valid, a CA makes the statement that the cert in
question is not revoked.
Surely not!
Kikx wrote:
Considering that it's a lack of security and allow man in the middle
attack (down negociation only) and even if you would like to use TLS or
SSL3 an attaquant can just force you to go to SSL2 and then to use a
very weak encryption without any warning ...
There are two statements
Ian,
Ian G wrote:
By signing a CRL that does not include a particular cert's serial
number, or by signing an OCSP response that says this cert's serial
number is still valid, a CA makes the statement that the cert in
question is not revoked.
Surely not! That can't scale CRLs would grow