Hi all,
as we are updating the OCSP protocol, I was wondering if we could add a
feature that has been widely investigated in Academia, but no fallback
has happened in the real world, yet: Privacy.
The OCSP protocol raises possible privacy concerns: by requesting the
revocation status of a specific certificate a possible ``eve'' could infer
the user's activity (or even one's location if the cert is used for
physical access to a building!). This issue is not present when using
CRLs as no disclosure of which certificate is being checked occurs.
A simple solution exists based on obfuscating the serial number of the
requested certificate. It also can be easily implemented as an extension
to the current protocol.
Is anybody interested in solving this issue ? I can probably write an
initial draft very easily. Shall this be a separate draft or an update
of the OCSP one ?
Looking forward to reading your points of view...
Best,
Max
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] openca at acm.org
project.manager at openca.org
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.