On 10/15/2009 03:57 PM, Ian G:
On 15/10/2009 15:21, Gervase Markham wrote:
On 13/10/09 16:18, Anders Rundgren wrote:
IMO putting OCSP or CRLs in public SSL certificates was never a
particularly good idea because the only likely case for a revocation
is when a CA fails to validate a customer. That has happened
but not often enough to motivate the building of new infrastructure.
That's just not true. Debian weak keys and the recent \0 certs are both
cases where customer validation was done to the appropriate level but
the certs still had to be revoked.
Note the careful insertion of the word "likely". I think what Anders
is saying is that revocation is purposed to a failure in validation.
Which is obviously not correct. Most revocations happen due to loss and
compromise of private keys, retirements, software bugs, misuse, but
seldom due to validation failures.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
