On Thu, Mar 24, 2011 at 14:16:49 -0430, Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote: > > Wierd advice IMHO. There are a number of practical reasons for not > checking CRLs (Certificate Revocation Lists) all the time, but sending > cert serial numbers to the CA is not among them. The serial number is > not secret information (neither is the cert itself of course). If you > don't trust the CA, then better disable certs entirely, not just CRL > checking. Sending the serial number to the CA allows the CA to guess (with high probability of being correct) that you are visiting the web page that they sold the certificate for. This information can be resold to other companies for marketing purposes (or other reasons). If there is any money in this, I wouldn't expect Verisign to pass the opportunity up based on other similar stuff they have done. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
