ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: https

2011-08-29 13:10:35
from [t.petch] [Permanent Link] 
---- Original Message -----
From: "Hector Santos" <hsantos(_at_)santronics(_dot_)com>
To: "Adam Novak" <interfect(_at_)gmail(_dot_)com>
Cc: "IETF Discussion" <ietf(_at_)ietf(_dot_)org>
Sent: Friday, August 26, 2011 8:49 PM
Subject: Re: https



I see, so as long as its not revoked, if compromised, you are hosed
until it expires.

I wonder if OCSP (Online Certificate Status Protocol) can help
addresses this?


Hector

Back in 2008, some people could not access the IETF website using
TLS because of OCSP; I think that the URI for the OCSP site for
the certificate was unavailable, at least for some parts of the
world.  Another potential vector for failure.

Tom Petch


               Expired or not, it can still be revoked with dynamic
checking as long as the browser as OCSP enabled.  So I guess its a
matter of reporting the theft as soon as it is discovered.


Adam Novak wrote:

On Fri, Aug 26, 2011 at 1:13 PM, Hector Santos 
<hsantos(_at_)santronics(_dot_)com>

wrote:

Makes you wonder. Why is the concept of expiration required? �Did the IETF
expire, die? �Did its value as an Organization go down and only valid on a
year to year basis?


As I understand it, expiration is supposed to solve the problem of
someone getting their hands on your old certificates and impersonating
you. In order to impersonate you, not only do they have to get into
your system, they have to have done it in the last year or so.

It also keeps certificates for domains from outliving domain
registrations for too long. If you don't have the domain when you go
to renew the certificate, the CA shouldn't renew it.

I guess it also keeps revocation lists short. You only have to
remember that a certain certificate was compromised until it expires,
instead of forever.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf




--
Sincerely

Hector Santos
http://www.santronics.com



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: voting system for future venues?, Scott Brim
Next by Date:  Re: voting system for future venues?, Melinda Shore
Previous by Thread:  Re: https, Hector Santos
Next by Thread:  Re: https, Glen Zorn
Indexes:  [Date] [Thread] [Top] [All Lists]