Perry didn't appear to forward this on to the list (I guess questions are OT):
I got the impression, many years ago, that you couldn't rely on systems to check revocation status, even if the system was online. I was wondering what the current status was on this for the various implementations (OpenSSL and NSS, in particular). I think I saw in OpenSSL cert generation that you could optionally set a CRL URL in CA certs, but I don't know what the mechanism is for downloading that; if it's up to the client, I suppose you can't rely on the client app to actually do it, and I wonder how failures would get reported - making it a potential case where bit rot may not get noticed. I also recall, around the time of the 7th Usenix security symposium, that there were various proposals for protocols to look up revoked certs efficiently (they were also mentioned in Peter Gutmann's crypto tutorial), but I haven't kept up on these. Any links on the subject, or key management generally, would be much appreciated. -- It asked me for my race, so I wrote in "human". -- The Beastie Boys My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email [email protected] to get blacklisted. -- It asked me for my race, so I wrote in "human". -- The Beastie Boys My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email [email protected] to get blacklisted.
pgpHTkZUSuZB6.pgp
Description: PGP signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
