Jorey Bump wrote:
[...]OK, if someone acquired your CA's key you're deep in the dirt, regardless wether you use CRLs or not, since the evil one can build his/her own CRLs with the signature of your CA. ;)But only with the passphrase of the CA private key, correct?
Yes, correct, the bad guy must be able to decrypt the key.But typically it's easier to crack the password protecting the private key then cracking the key itself... But that's leading elsewhere.
I don't know very much about OCSP since I haven't used it till now. As I understand it it's a webserver-plugin (cgi or perl or something like that) that looks up a certificate's serial number in its local CRL and returns (essentially) TRUE or FALSE.It'll never catch on -- too effecient. :)
Son't be so sure about this, you probably overlooked the "essentially"! ;) Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
