ianG <i...@iang.org> writes: >On 1/12/11 15:10 PM, Peter Gutmann wrote: >> ianG<i...@iang.org> writes: >>> Is this in anyway a cause for action in contract? Is this a caused for >>> revocation? >> And given that you have to ask the MITM for the revocation information, how >> would you revoke such a cert? > >Wait! Mallory has delivered Alice a valid CA-signed-sub-CA-signed cert. >That is the valid information, right? There was nothing wrong the cert that >wasn't seen, it is the new one that is at fault.
I assumed you were asking whether it was cause for revocation of the MITM CA. Since you have to go via the MITM to do the blacklist check, you're hosed. In any case though since you own the MITM CA all you need to do is leave out the authorityInfoAccess and the clients won't even try and check. Or make it a CRL, and many won't bother checking even if the AIA is present (that's a nice way to get a cheap CA cert for a year, buy it from a commercial CA, make sure the revocation is done via a CRL, say you changed your mind and want your money back, and you've got your own nearly-free CA cert for a year when nothing bothers checking the CRL, as users of such CA certs have discovered in the past :-). Those were reasons #528 and #309 in the series. Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography