[openssl-users] Thoughts about security, privacy, ...

Matt Caswell matt at openssl.org
Sun Nov 1 09:25:15 UTC 2015



On 01/11/15 08:21, Walter H. wrote:
> On 31.10.2015 23:23, Michael Ströder wrote:
>> Walter H. wrote:
>>> give me a hint for finding S/MIME certificates, finding my own would
>>> be nice;
>> You claim that clear-text OCSP requests are not a privacy issue.
> yes ..., a security problem I mentioned in connection with stupid CAs
> some posts before is the bigger problem ...
>> So you should
>> explain how you keep your *public*-key cert from being intercepted
>> somewhere.
> depends on the CA; a CA that has a directory public browseable in ithe
> internet this is impossible,
> in other words, the CA itself is the problem in this case;

CT is the answer to a big problem. I fail to see that CAs deploying CT
is a problem. I also don't see why only a CA can do this. There might be
some adversaries that are perfectly capable of building large databases
of certificates that they have "collected" from the internet.


>> You can't.
> really? try to find my S/MIME public key certificate ...
> your "update" shows only SSL certificates; and as a said, SSL
> certificates are not a problem ...

Sorry, I must have missed that point? Why do you believe SSL
certificates are not a problem? Unless you meant your example of a cert
with a large number of alt names. But if so, I fail to see why the
existence of some certificates where the amount of information an
attacker could gain is smaller (but not nil) means that we should not
deploy OCSP over https for *all* certificates?

I also very much hope that CAs will deploy CT for S/MIME too.

Matt


More information about the openssl-users mailing list