Re: More Phishing scams, still no SSL being used...

[Jean-Marc Desperrier]

Gervase Markham wrote:
Peter Gutmann wrote:
OCSP doesn't scale at all, which is why recent "high-performance" OCSP
proposals break the protocol's security [...]  The result is that 
you're not getting a real certificate status any more [...]
If the status has a timestamp and a validity duration embedded in it, 
how can a replay attack be effective? An attacker could send an old 
response up until it expired,
In the more secure version of OCSP, you use no validity duration, you 
include a nonce in your request that must be present in the response, so 
the response must be generated on demand and can't be cached.
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto