Limitations
~~~~~~~~
- Works only if attacker fraudulently issued a certificate with a serial
that is not associated with a good certificate.
This can be remedied by using an extension in which a server providing
white-list information conveys a hash of the
(genuine) certificate having this serial number. Note, that such an extension
does not only exist but is already used in
the context of qualified certificates in Germany: CertHash (OID 1.3.36.8.3.13),
defined in CommonPKI.
Johannes