Interesting post by Jacob Appelbaum on the compromise of a trusted CA that was used to issue fraudulent certificates: https://blog.torproject.org/blog/detecting-certificate-authority-compromises... The discussion shows up (yet again) one of the (several) killer problems of CRL/OCSP-style blacklisting, since you can only blacklist certs that you know that a certificate vending machine has issued, there could be arbitrary numbers of further certs out there that can't be revoked because the vending machine doesn't know that it issued them. Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE