[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [saag] X.509 certificate collision, via MD5 collisions

To: Robert Zuccherato <robert.zuccherato@xxxxxxxxxxx>
Subject: RE: [saag] X.509 certificate collision, via MD5 collisions
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 4 Mar 2005 18:43:19 -0500
Cc: "'Russ Housley'" <housley@xxxxxxxxxxxx>, ietf-pkix@xxxxxxx
In-reply-to: <7A3E1242FA9989439AD1F9B2D71C287F04274009@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <7A3E1242FA9989439AD1F9B2D71C287F04274009@xxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 10:46 AM -0500 3/4/05, Robert Zuccherato wrote:

	<SNIP>
There are also some practical problems with overloading the serialnumber. CRLs will, in most circumstances, increase in size. Also,OCSP responders that pre-compute responses may have troublepre-computing "good" responses if they cannot predict which serialnumbers have been used. This issue would come up with respondersthat work from CRLs and assume that a certificate is "good" if it'sserial number doesn't appear on a CRL.

An OCSP responder is only supposed to indicate whether a cert isrevoked or not. so, if the cert is not in the CRL, it it not knownto be revoked, and if it is there is it revoked. absence from the CRLis not necessarily an indication of a "good" cert and any inferenceof that sort is an error.


Steve

Follow-Ups:
- RE: [saag] X.509 certificate collision, via MD5 collisions
  - From: Dave Engberg

References:
- RE: [saag] X.509 certificate collision, via MD5 collisions
  - From: Robert Zuccherato

Prev by Date: Re: Comments to SCVP ID 17
Next by Date: Re: [saag] X.509 certificate collision, via MD5 collisions
Previous by thread: Re: [saag] X.509 certificate collision, via MD5 collisions
Next by thread: RE: [saag] X.509 certificate collision, via MD5 collisions
Index(es):
- Date
- Thread