Gervase Markham wrote:
Peter Gutmann wrote:
Gervase Markham <[EMAIL PROTECTED]> writes:
True - but you are therefore restricted to attacking clients with bad
clocks. [...] I suspect
there are pretty few machines out there whose clocks are off by days
or months.
Again, refer to my original post, which reports actual findings.
I can't find a post which is an ancestor of this one which fits this
description.
Anyway if the clock are that off, the assumptions needed for crl and for
certificate are broken too. The most annoying case is truly when the
clock are only a little off, too small to be a big problem at the
ordinary time scale for crl and certificate, but big enough to seriously
disrupt OCSP.
I appreciate Peter's down to earth approach to cryptography, but I
consider it has one down point, he tends to thinks that product should
support any broken, mis-configured client and that there is no place
where we can set a limit. I think mozilla.org has very often been
confronted to this situation, having to choose between bending the rules
to be compatible with more people or setting a limit and rejecting
people who don't at least properly implements this or that. It has very
often been quite effective in evaluating the good and bad of each
approach and select the proper threshold. This has been done on several
occasion by initially taking a strict position, and after earning more
experience, relaxing it in an appropriate way (document.all, file type
determined by Content-Type value). I think such an approach can prove
effective once more in this situation.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
