Kai,
On 2/7/2012 12:58, Kai Engert wrote:
That's a reason why I propose vouchers to be IP specific.
In my understanding, each IP will have only a single certificate,
regardless from where in the world you connect to it.
That's definitely an incorrect assumption to make.
There can be a very
On 02/07/2012 06:04 PM, Kai Engert wrote:
> The CA will remember the assocation {IP, certificate}. In future
> requests, as long as this requesting IP requests a voucher for the same
> certificate, the described bidirectional authentication and verification
> will be sufficient.
Just a technicalit
On 08/02/12 12:43, Ondrej Mikle wrote:
On 02/07/2012 09:58 PM, Kai Engert wrote:
That's a reason why I propose vouchers to be IP specific.
In my understanding, each IP will have only a single certificate,
regardless from where in the world you connect to it.
It's not true in general. There
On 02/07/2012 09:58 PM, Kai Engert wrote:
> On 07.02.2012 17:54, Ondrej Mikle wrote:
>>> The phone calls would ensure that each registered person will be aware
>>> of the certificate issuance.
>>
>> This is getting very close to EV validation (Sovereign Keys have the
>> same issue).
>
> I'd say ma
Why not just use the secure domain transfer identifier? Only the real holder
of the domain has that.
-Kyle H
On Mon, Feb 6, 2012 at 12:21 PM, Kai Engert wrote:
On 21.10.2011 15:09, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/me
On 07.02.2012 17:54, Ondrej Mikle wrote:
The phone calls would ensure that each registered person will be aware
of the certificate issuance.
This is getting very close to EV validation (Sovereign Keys have the
same issue).
I'd say making phone calls is less effort than checking business
docu
My previous message was a proposed solution to the problem "attacker is
close to the server and uses it to obtain a new fraudulent cert", and I
proposed to use an organizational approach to prevent that attack.
In addition, another potential attack is, the attacker has obtained a
certificate f
Hi,
Kai Engert wrote:
> If the attacker is able to hack the router that is close to the
> webserver (e.g. hack the ISP that hosts the webserver), then the
> attacker might be able to simply apply for a certificate from a CA and
> intercept the (plaintext) approval emails the CA sends to the domain
On 21.10.2011 15:09, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/mecai/
Review, thoughts and reports of flaws welcome.
Thanks to Peter Eckersley, who first mentioned to me at 28c3 that there
is one scenario that isn't solved by th
Just a quick thought, that I don't want to lose.
Maybe it would be a reasonable middle-ground to define:
- for intermediate CAs, OCSP information is published in DNS
- for servers, we use OCSP stapling
(Rob, thanks for your response, I'm still digesting.)
Regards
Kai
--
dev-tech-crypto mailing
On Wednesday 07 Dec 2011 04:19:09 Kai Engert wrote:
> I haven't researched, but has anyone already thought of distributing
> OCSP records using DNS in general?
>
> If we had OCSP-in-DNS, we might not even require OCSP stapling. This
> could run as a service completely independent of the SSL serve
On 21.10.2011 15:09, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/mecai/
After more brainstorming I came up with some incremental ideas.
Thanks a lot to Adam Langley for pointing out scenarios that weren't yet
sufficiently handled
On 10/21/2011 03:09 PM, From Kai Engert:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/mecai/
Review, thoughts and reports of flaws welcome.
Interesting - but it probably will never work. I don't see CAs
cooperating to this extend, it will probably c
On 10/21/2011 08:09 AM, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP,
CA's.
https://kuix.de/mecai/
This is great. We need these kinds of ideas.
Review, thoughts and reports of flaws welcome.
OK, this is a serious thought, not just a flippant remark:
Wh
14 matches
Mail list logo
