> Limitations > ~~~~~~~~ > - Works only if attacker fraudulently issued a certificate with a serial > that is not associated with a good certificate. This can be remedied by using an extension in which a server providing white-list information conveys a hash of the (genuine) certificate having this serial number. Note, that such an extension does not only exist but is already used in the context of qualified certificates in Germany: CertHash (OID 1.3.36.8.3.13), defined in CommonPKI. Johannes