On 01/11/15 08:21, Walter H. wrote: > On 31.10.2015 23:23, Michael Str?der wrote: >> Walter H. wrote: >>> give me a hint for finding S/MIME certificates, finding my own would >>> be nice; >> You claim that clear-text OCSP requests are not a privacy issue. > yes ..., a security problem I mentioned in connection with stupid CAs > some posts before is the bigger problem ... >> So you should >> explain how you keep your *public*-key cert from being intercepted >> somewhere. > depends on the CA; a CA that has a directory public browseable in ithe > internet this is impossible, > in other words, the CA itself is the problem in this case; CT is the answer to a big problem. I fail to see that CAs deploying CT is a problem. I also don't see why only a CA can do this. There might be some adversaries that are perfectly capable of building large databases of certificates that they have "collected" from the internet. >> You can't. > really? try to find my S/MIME public key certificate ... > your "update" shows only SSL certificates; and as a said, SSL > certificates are not a problem ... Sorry, I must have missed that point? Why do you believe SSL certificates are not a problem? Unless you meant your example of a cert with a large number of alt names. But if so, I fail to see why the existence of some certificates where the amount of information an attacker could gain is smaller (but not nil) means that we should not deploy OCSP over https for *all* certificates? I also very much hope that CAs will deploy CT for S/MIME too. Matt