[security] SL comprimise

[John Bradley]

Inventing something new, probably won't get implemented.   Simply letting openssl check the CRL list would be a huge improvement.
It wouldn't catch the one the CA's don't know about, but it stops the ones that are discovered from being problems for years.

John B.
On 2011-03-25, at 3:49 PM, SitG Admin wrote:

>> I will also point out that this is not the only incident of issuing certificates to the wrong people that Comodo has been involved in.
> 
> If not them, it would be some other low-hanging fruit. The weakest CA in the pool.
> 
>> So the one thing we can do from a openID point of view is atleast take revocation seriously because I am willing to bet this will not be the last time something like this happens.
> 
> Cert caching? (Check the CA chain?) Most effectively for major RP's accepting logins from major OP's, react to a single cert from a CA never previously associated with that domain, when processing thousands of concurrent logins from the familiar cert?
> 
> The low-hanging fruit is most likely to make this kind of mistake, but it'd be nice if we weren't relying on them to catch it. (Ultimately, yes, but it might be preferable in some use-cases to break in favor of security over convenience.)
> 
> -Shade

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110325/fc4ffd4b/attachment.p7s>