Peter Gutmann wrote:
Only if clocks are perfectly synchronised (see my previous post). If the client's clock is slow, I can prolong the life of a cert effectively indefinitely.
True - but you are therefore restricted to attacking clients with bad clocks. I'm quite happy to admit that many computer clocks may be out by up to (say) 20 minutes, but the widespread use of things like email which timestamp stuff with the clock time means that I suspect there are pretty few machines out there whose clocks are off by days or months.
In addition, this assumes that CAs put sensible (or at least consistent) values in the time fields in an OCSP response. In practice, everyone seems to put in something different: The current time, the time the response was generated, the time of CRL issue, the wife's birthday, ...
Then that's an implementation issue which needs to be fixed. Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
