<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Dick Hardt wrote:
<blockquote cite="mid:7CCBE28B-53FA-43C0-8B85-BA9D271F06EA@sxip.com"
type="cite">
<pre wrap="">On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:
</pre>
<blockquote type="cite">
<pre wrap="">It also only fixes this single type of key compromise. Surely it is
time to stop ignoring CRLs before something more serious goes wrong?
</pre>
</blockquote>
<pre wrap=""><!---->
Clearly many implementors have chosen to *knowingly* ignore CRLs
despite the security implications, so my take away would be that the
current public key infrastructure is flawed.
</pre>
</blockquote>
Well, they might have done this *knowingly*, but--at least for
some--I doubt that they *know* what they have done. IMO, it is bad
practice to implement only half of a protocol/standard for any reason
(especially out of laziness or ignorance), but that is what using
certificates without CRL checking amounts to.<br>
<br>
If we believe that the current PKI was truly flawed, it would be an
act of gross negligence to use it for anything requiring a properly
secured communication channel. <br>
<br>
To extend Ben's advice: Decide if you want to use the current PKI.
If so, implement CRL checking. <br>
<br>
Gerald<br>
<blockquote cite="mid:7CCBE28B-53FA-43C0-8B85-BA9D271F06EA@sxip.com"
type="cite">
<pre wrap="">-- Dick
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</body>
</html>