[openssl-users] Thoughts about security, privacy, ...

Walter H. Walter.H at mathemainzel.info
Sun Nov 1 12:07:57 UTC 2015

On 01.11.2015 10:25, Matt Caswell wrote:
> CT is the answer to a big problem. I fail to see that CAs deploying CT
> is a problem. I also don't see why only a CA can do this. There might be
> some adversaries that are perfectly capable of building large databases
> of certificates that they have "collected" from the internet.
a computer tomograph as answer for a not really existing problem?
and collecting SSL certificates is not a big thing;

as long as the security problems aren't really solved, the privacy 
concerns don't exist;
>>> You can't.
>> really? try to find my S/MIME public key certificate ...
>> your "update" shows only SSL certificates; and as a said, SSL
>> certificates are not a problem ...
> Sorry, I must have missed that point? Why do you believe SSL
> certificates are not a problem?
because this the request contains only contain the certificate serial 
number and not the certificate at all;
what would you know, when sniffing a request of validating a certificate 
with serial 575775757
from CA x?
in case you have a database, where you could lookup the serial in 
connection with the CA x,
then you have some information that raise some little privacy concerns, 
but without ...

having tracking pixels, strange scripts raise bigger problems: in 
security and privacy ...

> But if so, I fail to see why the
> existence of some certificates where the amount of information an
> attacker could gain is smaller (but not nil) means that we should not
> deploy OCSP over https for *all* certificates?
of course, when deploying OCSP over TLS, this must be done for ALL 
certificates; but relaying
on OCSP Stapling which itself is a security hole, is the wrong way;
(I mentioned this problem earlier)
when validating if it is save to connect to a host,
the information must come from third party and not from the host itself 
(as OCSP Stapling is done)
> I also very much hope that CAs will deploy CT for S/MIME too.
only in hospitals ;-)

always think of this:
not the defect head light caused the accident, where the car slipped of 
the road ;-)

in other words, always think of the real cause before;
OCSP and CRL downloads are not the cause for privacy concerns, so there 
is no need of changing this;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151101/f9c690ba/attachment-0001.bin>

More information about the openssl-users mailing list