[CentOS] https and self signed
Александр Кириллов
nevis2us at infoline.suFri Jun 17 20:39:33 UTC 2016
- Previous message: [CentOS] https and self signed
- Next message: [CentOS] https and self signed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> yes and no, but faking a valid OCSP response that says good instead of
> revoked is also possible ...
Could you please provide any proof for that statement? If it were true
the whole PKI infrastructure should probably be thrown out of the
window. )
> the primary reason was to prevent problems for connection problems -
> or whatever problems - in connection with the OCSP
Sure. I've never said privacy concerns were the main reason.
Security concerns can probably be addressed with reducing update
interval of issuer-signed OCSP responses. For my free wosign
certificates ii's 4 days and my understanding is that interval matches
CRL update policy of the CA.
Per RFC2560 (see nextUpdate below):
2.4 Semantics of thisUpdate, nextUpdate and producedAt
Responses can contain three times in them - thisUpdate, nextUpdate
and producedAt. The semantics of these fields are:
- thisUpdate: The time at which the status being indicated is known
to be correct
- nextUpdate: The time at or before which newer information will be
available about the status of the certificate
- producedAt: The time at which the OCSP responder signed this
response.
If nextUpdate is not set, the responder is indicating that newer
revocation information is available all the time.
- Previous message: [CentOS] https and self signed
- Next message: [CentOS] https and self signed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list