Massimiliano Pala wrote: > Hi all, > > as we are updating the OCSP protocol, I was wondering if we could add a > feature that has been widely investigated in Academia, but no fallback > has happened in the real world, yet: Privacy. > > The OCSP protocol raises possible privacy concerns: by requesting the > revocation status of a specific certificate a possible ``eve'' could infer > the user's activity (or even one's location if the cert is used for > physical access to a building!). This issue is not present when using > CRLs as no disclosure of which certificate is being checked occurs. > > A simple solution exists based on obfuscating the serial number of the > requested certificate. It also can be easily implemented as an extension > to the current protocol. > > Is anybody interested in solving this issue ? I can probably write an > initial draft very easily. Shall this be a separate draft or an update > of the OCSP one ? > Would've thought an https URL for the responder would be a simpler way. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shenson at drh-consultancy.co.uk, PGP key: via homepage.
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.