Re: https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

---- Original Message -----
From: "Hector Santos" <hsantos@xxxxxxxxxxxxxx>
To: "Adam Novak" <interfect@xxxxxxxxx>
Cc: "IETF Discussion" <ietf@xxxxxxxx>
Sent: Friday, August 26, 2011 8:49 PM
Subject: Re: https


> I see, so as long as its not revoked, if compromised, you are hosed
> until it expires.
>
> I wonder if OCSP (Online Certificate Status Protocol) can help
> addresses this?

Hector

Back in 2008, some people could not access the IETF website using
TLS because of OCSP; I think that the URI for the OCSP site for
the certificate was unavailable, at least for some parts of the
world.  Another potential vector for failure.

Tom Petch

>                Expired or not, it can still be revoked with dynamic
> checking as long as the browser as OCSP enabled.  So I guess its a
> matter of reporting the theft as soon as it is discovered.
>
>
> Adam Novak wrote:
> > On Fri, Aug 26, 2011 at 1:13 PM, Hector Santos <hsantos@xxxxxxxxxxxxxx>
wrote:
> >> Makes you wonder. Why is the concept of expiration required? �Did the IETF
> >> expire, die? �Did its value as an Organization go down and only valid on a
> >> year to year basis?
> >
> > As I understand it, expiration is supposed to solve the problem of
> > someone getting their hands on your old certificates and impersonating
> > you. In order to impersonate you, not only do they have to get into
> > your system, they have to have done it in the last year or so.
> >
> > It also keeps certificates for domains from outliving domain
> > registrations for too long. If you don't have the domain when you go
> > to renew the certificate, the CA shouldn't renew it.
> >
> > I guess it also keeps revocation lists short. You only have to
> > remember that a certain certificate was compromised until it expires,
> > instead of forever.
> > _______________________________________________
> > Ietf mailing list
> > Ietf@xxxxxxxx
> > https://www.ietf.org/mailman/listinfo/ietf
> >
> >
>
> --
> Sincerely
>
> Hector Santos
> http://www.santronics.com
>
>
>
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
>

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]