Ben Laurie, I am posting this at the suggestion of Stephen Ferrell. There is no evidence that he supports or is against my analysis. He just thought this mail list is the appropriate place to make my point..
My basic tenet is that the OCSP certinfo extension being discussed in PKIX does not protect against RA compromise and may also not protect against CA compromise since the attacker who compromised the CA may be able to create an OCSP Responder certificate and either also put bogus OCSP pointer in the minted certificates or use DNS poisoning on the relying parties. Thus, I think the certificate transparency is worth discussing. Santosh Chokhani CygnaCom Solutions
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
