Santosh Chokhani wrote: > Ben Laurie, > > I am posting this at the suggestion of Stephen Ferrell. There is no evidence > that he supports or is against my analysis. He just thought this mail list > is the appropriate place to make my point.. > > My basic tenet is that the OCSP certinfo extension being discussed in PKIX > does not protect against RA compromise and may also not protect against CA > compromise since the attacker who compromised the CA may be able to create an > OCSP Responder certificate and either also put bogus OCSP pointer in the > minted certificates or use DNS poisoning on the relying parties. > > Thus, I think the certificate transparency is worth discussing.
Locating the OCSP server through AIA in the EE cert might be the problem here. Maybe the OCSP responder ought to be located through an extension in the CA cert itself instead? -Martin _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
