[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Online Certificate Revocation Protocol

To: ietf-pkix@xxxxxxx, phoffman@xxxxxxx
Subject: Re: Online Certificate Revocation Protocol
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Sun, 10 Jun 2001 23:52:31 (NZST)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: pgut001@xxxxxxxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Paul Hoffman / IMC <phoffman@xxxxxxx> writes:

>The latter is probably much more likely. Given that private keys are often 
>(usually?) protected with crackable passwords, the loss of a computer to an 
>attacker can be pretty disastrous. I assume that many CAs have out-of-band 
>revocation mechanisms for this case, but they certainly would take a long 
>time, and are probably difficult for a typical end user to find out about.

When I brought this up on the CMP list a while back, the response 
(tongue-in-cheek) was that users are expected to fly to the CA's place of 
business and beg in person to have their cert revoked.  This didn't strike me
as a very workable revocation mechanism.

(In case it isn't obvious anyway, I'm firmly in the scram-switch camp).

Peter.

Prev by Date: Re: Online Certificate Revocation Protocol
Next by Date: Re: Online Certificate Revocation Protocol
Previous by thread: Re: Online Certificate Revocation Protocol
Next by thread: Re: Online Certificate Revocation Protocol
Index(es):
- Date
- Thread