Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

From: Paul Hoffman <paul.hoffman () vpnc org>
Date: Fri, 8 Aug 2008 12:35:43 -0700
At 1:47 PM -0500 8/8/08, Nicolas Williams wrote:

On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote:

 The kerberos style of having credentials expire very quickly is one
 (somewhat less imperfect) way to deal with such things, but it is far
 from perfect and it could not be done for the ad-hoc certificate
 system https: depends on -- the infrastructure for refreshing all the
 world's certs every eight hours doesn't exist, and if it did imagine
 the chaos if it failed for a major CA one fine morning.


The PKIX moral equivalent of Kerberos V tickets would be OCSP Responses.

I understand most current browsers support OCSP.


...and only a tiny number of CAs do so.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: