Peter Gutmann wrote:
Gervase Markham <[EMAIL PROTECTED]> writes:
True - but you are therefore restricted to attacking clients with bad
clocks. I'm quite happy to admit that many computer clocks may be out by
up to (say) 20 minutes, but the widespread use of things like email
which timestamp stuff with the clock time means that I suspect there are
pretty few machines out there whose clocks are off by days or months.
Again, refer to my original post, which reports actual findings.
I can't find a post which is an ancestor of this one which fits this
description.
In addition, this assumes that CAs put sensible (or at least consistent)
values in the time fields in an OCSP response. In practice, everyone seems to
put in something different: The current time, the time the response was
generated, the time of CRL issue, the wife's birthday, ...
Then that's an implementation issue which needs to be fixed.
Right, and that's a relatively small matter of programming, all you need to do
is get all the CAs and PKI vendors to agree on how to do it, and then change
all their applications and certs to conform. QED.
I'm slightly confused as to why you think this is a problem. I'm not
familiar (enough) with the details of OCSP fields but I assume there is
a "time of issue" field. Presumably agreeing that this should represent
the time of issue, and getting people to do it, would not be controversial.
Stop me if I've missed something.
Gerv
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
