<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Dick Hardt:
<blockquote cite="mid:7CCBE28B-53FA-43C0-8B85-BA9D271F06EA@sxip.com"
type="cite">
<pre wrap="">On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:
</pre>
<blockquote type="cite">
<pre wrap="">It also only fixes this single type of key compromise. Surely it is
time to stop ignoring CRLs before something more serious goes wrong?
</pre>
</blockquote>
<pre wrap=""><!---->
Clearly many implementors have chosen to *knowingly* ignore CRLs
despite the security implications
</pre>
</blockquote>
<br>
Please note that Firefox 3 implements OCSP checking which is turned on
by default. It's more efficient than CRLs...in that respect also note
that some CAs don't support CRL distribution points in the end user
certificates nor OCSP at all. Obviously those are details a subscriber
should check before purchasing a certificate.<br>
<br>
Also subscribers share the responsibilities with the CA in cases such
as the Debian fiasco, most CAs have refrained from detecting and
revoking affected certificates. Just to make it clear that this problem
isn't specific to OpenID but all web sites and we discussed this issue
extensively over at Mozilla (dev.tech.crypto).<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>