Hi Carl, that would be simple... if the software out there would support partitioned CRLs correctly.. :( I am not sure how much deployed software actually supports them, do you have any stats ? Also, with respect to all the https solution, it does not consider that the privacy of the user can be compromised on the server itself (malicious admins or the server gets hacked). So the https does protect against MITM on the net, but nothing more... this could be a problem when the service is outsourced... or run by a big CA provider whilst and the certificate is issued to an employee of a company/gov organization/etc.. are they willing to share those info with the CA provider ? Is the CA liable if the logs of the server are compromised ? Can the CA use the OCSP logs for its own purposes ? Am I the only one concerned with this type of problems ? Later, Max On 11/17/2009 08:20 AM, Carl Wallace wrote: [...]
Even more simple: use partitioned CRLs where OCSP is used
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.