Inventing something new, probably won't get implemented. Simply letting openssl check the CRL list would be a huge improvement. It wouldn't catch the one the CA's don't know about, but it stops the ones that are discovered from being problems for years.
John B. On 2011-03-25, at 3:49 PM, SitG Admin wrote: >> I will also point out that this is not the only incident of issuing >> certificates to the wrong people that Comodo has been involved in. > > If not them, it would be some other low-hanging fruit. The weakest CA in the > pool. > >> So the one thing we can do from a openID point of view is atleast take >> revocation seriously because I am willing to bet this will not be the last >> time something like this happens. > > Cert caching? (Check the CA chain?) Most effectively for major RP's accepting > logins from major OP's, react to a single cert from a CA never previously > associated with that domain, when processing thousands of concurrent logins > from the familiar cert? > > The low-hanging fruit is most likely to make this kind of mistake, but it'd > be nice if we weren't relying on them to catch it. (Ultimately, yes, but it > might be preferable in some use-cases to break in favor of security over > convenience.) > > -Shade
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
