Well, make that hard choice: do you want to have your software fail when an up-to-date CRL is not available, or do you want to make your software susceptible to a denial-of-service attack on the CRL distro process?
Same question if your OCSP request fails without prejudice. If you go ahead and trust the certificate anyway, all the adverary has to do is jam your OCSP request. If you don't trust the certificate, then minor and temporary failures in the OCSP process become very visible.
These are the kind of hard questions (of the form "how much are you REALLY willing to pay for security?") that the horrible old men who task us cannot be bothered to consider. In this case, the cost is not of money but instead is of inconvenience due to non-robustness with respect to minor network failings.
As usual: the level of security required should be commeasurate with the value of the asset to be protected.
Joseph Bruni wrote:
Gotcha. So it would be safe to assume that almost nobody uses CRLs since none of the software I use that does SSL seems to worry about the presence (or lack) of a CRL. Wonderful. That really inspires confidence.
I'll just bump the nextUpdate field out and make sure that the CA is keeping the CRL up-to-date.
On Dec 29, 2003, at 7:19 PM, Dr. Stephen Henson wrote:
The reason this is often done is that if you allow an expired CRL to be used
then someone could use a revoked certificate that hadn't been revoked in the
expired CRL but has been revoked in the current one.
Steve.
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
-- +---------+---------+---------+---------+---------+---------+---------+ Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
