Ben Bucksch wrote:
>
> I'm lacking knowledge about OCSP here. If a client asks a CA for
> validation, does the CA disclose any new information about the cert
> (apart from the current status)?
This depends. OCSP can hold extensions which could make a statement
about the certificate holder. AFAIK a bank could theoretically add
an extension holding information about your credit standing.
> If so, can that be avoided or can the
> CA make sure first that all of this information is already known to the
> client?
This depends on the CA's policy. You simply have to look that up
before enroll for a certificate.
I also have some concerns about privacy. But OCSP is not my main
concern. I usually dislike that every SSL server out there can
request my certificate for authentication. Therefore I'd like to see
an option in PSM's UI where I can mark a certificate as "e-mail
only". The default could be derived by keyUsage and extendedKeyUsage
extensions. But additionally there should be a way at the UI to set
it manually just in case the certificate's profile is wrong.
Ciao, Michael.
