[cabfpub] August 1st Deadline for No "Good" Reponse to Non-Issued Certificate
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Jul 19 20:16:10 UTC 2013
On 07/19/2013 11:04 PM, From Kelvin Yiu:
> As Tom said, the problem is that the requirement does not protect from
> attackers that are able to use the same serial number as unexpired
> certificates. When you factor in the requirement for CAs to
> instaneously update the OCSP server, or make the CA database
> accessible to the OCSP server, we have to make a security trade off.
It's always interesting to hear yet another opinion - I'm not sure if we
ever thought about it in this way.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130719/ae3199b8/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130719/ae3199b8/attachment-0001.p7s>
More information about the Public
mailing list