[openssl-users] Thoughts about security, privacy, ...

Michael Ströder michael at stroeder.com
Sat Oct 31 12:01:00 UTC 2015

Walter H. wrote:
> On 30.10.2015 21:42, Michael Ströder wrote:
>> Walter H. wrote:
>>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
>>>> She (Eve) would know that the requesting party Alice
>>>> was talking to Bob at the very moment she sent Trent
>>>> the OCSP *request* for Bob's certificate.
>>>> [...] equivalent of having (almost complete) real time
>>>> copies of everybody's phone bill/call records.
>>>> Who was calling who at what time.
>>> this is not a problem as long as the public keys (the certificates) are
>>> not really public;
>>> because in your example Eve doesn't have the knowledge which certificate
>>> the specific serial number has ...
>>> if the public keys (the certificates) are searchable by public - the worst
>>> case direct by a search engine like google - then you would get an
>>> absolute security whole:
>> Update for you: https://crt.sh/
> you know the difference between SSL and S/MIME?

I know the difference very well - probably even longer than you.

1. Google's certificate transparency project is not limited to certain
certificate types.
2. Privacy concerns are raised because of browsers validating server certs via
OCSP during TLS connect.

=> OCSP should be feasible over TLS in the spirit of RFC 7258.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151031/9f16361f/attachment.bin>

More information about the openssl-users mailing list