<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Eddy,<div><br></div><div>Good to hear from you.</div><div><br></div><div>My point is mostly that RP who are counting on TLS to provide a level of assurance that they are talking to a IdP need to perform CRL or OCSP checking.</div><div><br></div><div>Certificates without that should not be used by IdP.</div><div><br></div><div>There are browser issues no doubt. I am mostly concerned that RP are trusting a security mechanism that they have not configured properly and may get an unpleasant surprise at some point.</div><div><br></div><div>RP libraries need to take this seriously. </div><div><br></div><div>I have known the Comodo guys for a long time as well. </div><div>I use your Start SSL service for a reason. </div><div><br></div><div>However as you say if people don't manage the certificates in their root store they are more likely to see this sort of thing.</div><div><br></div><div>No CA is imune, sometimes customers shoot themselves in the foot, generating week keys etc.</div><div><br></div><div>We have to be able to deal with revoked certificates or we should not be using TLS security for a key part of openID trust.</div><div><br></div><div>Regards</div><div>John B.<br><div><div>On 2011-03-30, at 4:46 PM, Eddy Nigg (StartCom Ltd.) wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div bgcolor="#ffffff" text="#000000">
<br>
On 03/30/2011 09:59 PM, From John Bradley:
<blockquote cite="mid:3E908D19-1784-495D-80E7-9C0B95A60A6E@ve7jtb.com" type="cite">
<pre wrap="">The problem is how do you not trust them without breaking significant parts of the internet.
They have us over a barrel.</pre>
</blockquote>
<br>
Well, well....both of you know that this is a particular issue of a
particular "Certification Authority" and that there are
alternatives. And incidentally I happen to know both you ;-)<br>
<br>
I assume that there will be actions by the most important browser
vendors, I suggest to check your certificate stores and CA bundles
at the servers and to rip those CAs you prefer not to trust.<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org/">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org/">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</div>
_______________________________________________<br>security mailing list<br><a href="mailto:security@lists.openid.net">security@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-security<br></blockquote></div><br></div></body></html>