[130173] in cryptography@c2.net mail archive
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
daemon@ATHENA.MIT.EDU (Paul Hoffman)
Fri Aug 8 15:41:36 2008
In-Reply-To: <20080808184701.GL25547@Sun.COM>
Date: Fri, 8 Aug 2008 12:35:43 -0700
To: bugtraq@securityfocus.com, security@openid.net,
OpenID List <general@openid.net>, cryptography@metzdowd.com,
full-disclosure@lists.grok.org.uk
From: Paul Hoffman <paul.hoffman@vpnc.org>
At 1:47 PM -0500 8/8/08, Nicolas Williams wrote:
>On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote:
>> The kerberos style of having credentials expire very quickly is one
>> (somewhat less imperfect) way to deal with such things, but it is far
>> from perfect and it could not be done for the ad-hoc certificate
>> system https: depends on -- the infrastructure for refreshing all the
>> world's certs every eight hours doesn't exist, and if it did imagine
>> the chaos if it failed for a major CA one fine morning.
>
>The PKIX moral equivalent of Kerberos V tickets would be OCSP Responses.
>
>I understand most current browsers support OCSP.
...and only a tiny number of CAs do so.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
