On 31.10.2015 13:01, Michael Str?der wrote: > Walter H. wrote: >> On 30.10.2015 21:42, Michael Str?der wrote: >>> Walter H. wrote: >>>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote: >>>>> She (Eve) would know that the requesting party Alice >>>>> was talking to Bob at the very moment she sent Trent >>>>> the OCSP *request* for Bob's certificate. >>>>> >>>>> [...] equivalent of having (almost complete) real time >>>>> copies of everybody's phone bill/call records. >>>>> Who was calling who at what time. >>>> this is not a problem as long as the public keys (the certificates) are >>>> not really public; >>>> because in your example Eve doesn't have the knowledge which certificate >>>> the specific serial number has ... >>>> >>>> if the public keys (the certificates) are searchable by public - the worst >>>> case direct by a search engine like google - then you would get an >>>> absolute security whole: >>> Update for you: https://crt.sh/ >>> >> you know the difference between SSL and S/MIME? > I know the difference very well - probably even longer than you. sorry I don't think so, because you didn't really reply anything in connection with S/MIME as I mentioned, you gave an "update" relevant to SSL ... > Note: > 1. Google's certificate transparency project is not limited to certain > certificate types. sure? give me a hint for finding S/MIME certificates, finding my own would be nice; for SSL/TLS-certificates I don't need this, I use just this <script> #!/bin/bash # # usage: retrieve-cert.sh remote.host.name [port] # REMHOST=$1 REMPORT=${2:-443} echo |\ openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p </script> > 2. Privacy concerns are raised because of browsers validating server certs via > OCSP during TLS connect. are you sure, think of validating a certificate like this: <cert-san> X509v3 Subject Alternative Name: DNS:rsc.cdn77.org, DNS:*.rsc.cdn77.org, DNS:*.c.cdn77.org, DNS:cdn.perfdrive.com, DNS:www.secure.nsw.gov.au, DNS:www.cdn77.com, DNS:info.gossipslots.eu, DNS:*.r2games.com, DNS:cdn.medio.com, DNS:*.cdn77-ssl.net, DNS:static.netverify.com, DNS:static.popads.net, DNS:c1.popads.net, DNS:cdn77.clickfun.com, DNS:content.thunderkick.com, DNS:cdn.xsolla.com, DNS:cdns.kinguin.net, DNS:cdn.ometria.com, DNS:static.victorinox.com, DNS:images.victorinox.com, DNS:uat.static.victorinox.com, DNS:static1.zuerich.com, DNS:uat.images.victorinox.com, DNS:ret.tyroodr.com, DNS:unic.static.victorinox.com, DNS:static.jumio.com, DNS:static.netswipe.com, DNS:cdn77.clickfuncasino.com, DNS:assets.victorinox.com, DNS:cache.graphicslib.viator.com, DNS:cache.vtrcdn.com, DNS:m.vtrcdn.com, DNS:partner.vtrcdn.com, DNS:cdn.qbaka.net, DNS:i.gocollette.com, DNS:cdn.ctnsnet.com, DNS:videos.kinkylove.com, DNS:images.kinkylove.com, DNS:cdn.igopost.com, DNS:cdn3.merchenta.com, DNS:cdn.sscontent.com, DNS:cnt.booming.de, DNS:cdn.exactag.com, DNS:cdn.garantibil.se, DNS:cloud.majestic.co.uk, DNS:cdn.eprofessional.de, DNS:cdn.webstaurantstore.com, DNS:cdn.darkstarrisen.com, DNS:static-vid.ibotta.com, DNS:cdn.contentdn.net, DNS:cdn.nailsuperstore.com, DNS:info.drakecasino.eu, DNS:media.lingeriestyling.com, DNS:info.gtbets.eu, DNS:cdn.levenhuk.com, DNS:cdn.axonify.com, DNS:cdn.propellant.dk, DNS:static.scania.com, DNS:cdn.majestic.co.uk, DNS:cdn.professionalthemes.nyc </cert-san> and what it would say to me, if I knew that you just validated a certificate of CA x with serial 36635145454, then tell me where there is a raise of privacy concerns ... > => OCSP should be feasible over TLS in the spirit of RFC 7258. as long as many CAs even have their 2048 bit root keys,*) they had many years before ... there is no need for OCSP over TLS *) some had them years ago using MD5, then using SHA1 and maybe now using SHA2 ... security and usability has a higher priority for me than privacy ... Greetings, Walter -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4312 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151031/cd645842/attachment-0001.bin>
