Re: it gets worse -- Microsoft warns of hijacked certificates

Michael Ströder <michael@stroeder.com> Fri, 23 March 2001 00:09 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id TAA27011 for <pkix-archive@odin.ietf.org>; Thu, 22 Mar 2001 19:09:30 -0500 (EST)
Received: from localhost by above.proper.com (8.9.3/8.9.3) with SMTP id QAA06927; Thu, 22 Mar 2001 16:08:59 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Thu, 22 Mar 2001 16:08:55 -0800
Received: from mailout01.sul.t-online.com (mailout01.sul.t-online.com [194.25.134.80]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA06892 for <ietf-pkix@imc.org>; Thu, 22 Mar 2001 16:08:53 -0800 (PST)
Received: from fwd04.sul.t-online.com by mailout01.sul.t-online.com with smtp id 14gF8H-0004OK-00; Fri, 23 Mar 2001 01:08:45 +0100
Received: from junker.ms.inka.de (520010731148-0001@[217.1.24.32]) by fmrl04.sul.t-online.com with esmtp id 14gF8F-0ktO64C; Fri, 23 Mar 2001 01:08:43 +0100
Received: from stroeder.com (localhost [127.0.0.1]) by junker.ms.inka.de (Postfix) with ESMTP id D346E67C7C for <ietf-pkix@imc.org>; Fri, 23 Mar 2001 01:08:39 +0100 (CET)
Sender: michael@ms.inka.de
Message-ID: <3ABA9407.9E883B88@stroeder.com>
Date: Fri, 23 Mar 2001 01:08:39 +0100
From: Michael =?iso-8859-1?Q?Str=F6der?= <michael@stroeder.com>
Reply-To: michael@stroeder.com
Organization: stroeder.com
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18 i686)
X-Accept-Language: de-DE, de, en
MIME-Version: 1.0
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: it gets worse -- Microsoft warns of hijacked certificates
References: <3ABA8BBC.25412B54@nma.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Sender: 520010731148-0001@t-dialin.net
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 7bit

Ed Gerck wrote:
> 
> "A field in every certificate should indicate the CRL Distribution Point
> (CDP) - the location from which the CRL can be obtained. The problem is
> that VeriSign code-signing certificates leave the CDP information blank.

My intention always was that in current PKIX specs too many things
are optional.

Instead of discussing additional optional extensions (e.g. logos) we
should discuss how to build a secure and easy-to-implement PKI
system by making more details mandantory or leave them out
completely.

Ciao, Michael.