At Fri, 8 Aug 2008 11:50:59 +0100, Ben Laurie wrote: > However, since the CRLs will almost certainly not be checked, this > means the site will still be vulnerable to attack for the lifetime of > the certificate (and perhaps beyond, depending on user > behaviour). Note that shutting down the site DOES NOT prevent the > attack. > > Therefore mitigation falls to other parties. > > 1. Browsers must check CRLs by default. Isn't this a good argument for blacklisting the keys on the client side? -Ekr
