Re: [pkix] An alternative proposal Was: Fwd: New VersionNotification for draft-hamilton-cmr-00.txt

[Phillip Hallam-Baker <hallam@gmail.com>]

To enable the inconsistency in the CA response to be detected more quickly
so that the euthanasia squad can be called in quicker.

On Thu, Nov 3, 2011 at 9:51 AM, Kemp, David P. <DPKemp@missi.ncsc.mil>wrote:

> "logs deleted"?  If the CA does not have a database, and database
> backups, and audit logs, and offsite audit log backups, showing what
> certificate serial numbers have been signed (only one of which would be
> needed to reconstruct current CRLs), that pretty much makes the case
> that neither a whitelist nor a blacklist is worth the bits it is printed
> on.  Given the lack of even rudimentary availability controls, what
> would make any RP believe that a cert, listed on a whitelist or not, has
> any validity?
>
> Dave
>
>
> -----Original Message-----
> From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of
> Rob Stradling
>
> http://isc.sans.edu/diary.html?storyid=11512
>
> "Some of the CA servers have had parts of their logs deleted, leading to
> DigiNotar not knowing what certificates were issued."
>
> "The OCSP server's working at DigiNotar has been reversed since Sept
> 1st.
> Normally these servers respond with good to all certificates except
> those on the CRL (a blacklist). The OCSP now operates in whitelist mode:
> it will call all unknown certificates signed by DigiNotar as revoked (a
> whitelist).
> Hence we need to make sure to use the OCSP server to validate DigiNotar
> certificates -should we want/need to- and not rely on the published CRLs
> anymore."
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>



-- 
Website: http://hallambaker.com/