Walter H. wrote: > On 30.10.2015 21:42, Michael Str?der wrote: >> Walter H. wrote: >>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote: >>>> She (Eve) would know that the requesting party Alice >>>> was talking to Bob at the very moment she sent Trent >>>> the OCSP *request* for Bob's certificate. >>>> >>>> [...] equivalent of having (almost complete) real time >>>> copies of everybody's phone bill/call records. >>>> Who was calling who at what time. >>> this is not a problem as long as the public keys (the certificates) are >>> not really public; >>> because in your example Eve doesn't have the knowledge which certificate >>> the specific serial number has ... >>> >>> if the public keys (the certificates) are searchable by public - the worst >>> case direct by a search engine like google - then you would get an >>> absolute security whole: >> Update for you: https://crt.sh/ >> > you know the difference between SSL and S/MIME? I know the difference very well - probably even longer than you. Note: 1. Google's certificate transparency project is not limited to certain certificate types. 2. Privacy concerns are raised because of browsers validating server certs via OCSP during TLS connect. => OCSP should be feasible over TLS in the spirit of RFC 7258. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151031/9f16361f/attachment.bin>
