Re: HOW to set “security.OCSP.require” in Google Chrome/Chromium?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 24, 2011 at 14:16:49 -0430,
  Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote:
> 
> Wierd advice IMHO. There are a number of practical reasons for not
> checking CRLs (Certificate Revocation Lists) all the time, but sending
> cert serial numbers to the CA is not among them. The serial number is
> not secret information (neither is the cert itself of course). If you
> don't trust the CA, then better disable certs entirely, not just CRL
> checking.

Sending the serial number to the CA allows the CA to guess (with high
probability of being correct) that you are visiting the web page that
they sold the certificate for. This information can be resold to other
companies for marketing purposes (or other reasons). If there is any
money in this, I wouldn't expect Verisign to pass the opportunity up based
on other similar stuff they have done.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux