On 24/09/12 11:48, Ben Laurie wrote:
<snip>
The problem is that if the OCSP server is not identified in the EE
cert, then a misissued cert can be revoked according to one chain and
not revoked according to another.
Disagree.
In OCSP, the issuer is identified by Name Hash and Key Hash, not by
Certificate.
Even a single OCSP Responder could potentially give different responses
to different clients, so I don't think having different Responder URLs
in different chains would create a problem that isn't already there.
This defeats the purpose of CT.
>
There is a question of what to do if the CA issues a cert with the
wrong OCSP server in it - the answer, IMO, is you revoke the CA cert,
since it clearly cannot be trusted.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
