[CentOS] https and self signed
Александр Кириллов
nevis2us at infoline.suFri Jun 17 20:39:33 UTC 2016
- Previous message: [CentOS] https and self signed
- Next message: [CentOS] https and self signed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> yes and no, but faking a valid OCSP response that says good instead of > revoked is also possible ... Could you please provide any proof for that statement? If it were true the whole PKI infrastructure should probably be thrown out of the window. ) > the primary reason was to prevent problems for connection problems - > or whatever problems - in connection with the OCSP Sure. I've never said privacy concerns were the main reason. Security concerns can probably be addressed with reducing update interval of issuer-signed OCSP responses. For my free wosign certificates ii's 4 days and my understanding is that interval matches CRL update policy of the CA. Per RFC2560 (see nextUpdate below): 2.4 Semantics of thisUpdate, nextUpdate and producedAt Responses can contain three times in them - thisUpdate, nextUpdate and producedAt. The semantics of these fields are: - thisUpdate: The time at which the status being indicated is known to be correct - nextUpdate: The time at or before which newer information will be available about the status of the certificate - producedAt: The time at which the OCSP responder signed this response. If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time.
- Previous message: [CentOS] https and self signed
- Next message: [CentOS] https and self signed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list