| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Aug 2008 15:08:57 -0500 From: Nicolas Williams <Nicolas.Williams@....com> To: Paul Hoffman <paul.hoffman@...c.org> Cc: bugtraq@...urityfocus.com, security@...nid.net, OpenID List <general@...nid.net>, cryptography@...zdowd.com, full-disclosure@...ts.grok.org.uk Subject: Re: OpenID/Debian PRNG/DNS Cache poisoning advisory On Fri, Aug 08, 2008 at 12:35:43PM -0700, Paul Hoffman wrote: > At 1:47 PM -0500 8/8/08, Nicolas Williams wrote: > >On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote: > >> The kerberos style of having credentials expire very quickly is one > >> (somewhat less imperfect) way to deal with such things, but it is far > >> from perfect and it could not be done for the ad-hoc certificate > >> system https: depends on -- the infrastructure for refreshing all the > >> world's certs every eight hours doesn't exist, and if it did imagine > >> the chaos if it failed for a major CA one fine morning. > > > >The PKIX moral equivalent of Kerberos V tickets would be OCSP Responses. > > > >I understand most current browsers support OCSP. > > ...and only a tiny number of CAs do so. Not that long ago nothing supported OCSP. If all that's left (ha) is the CAs then we're in good shape. (OCSP services can be added without modifying a CA -- just issue the OCSP Responders their certs and let them use CRLs are their source of revocation information.)
Powered by blists - more mailing lists