On Thu, 2011-03-24 at 14:10 -0500, Bruno Wolff III wrote: > On Thu, Mar 24, 2011 at 14:16:49 -0430, > Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote: > > > > Wierd advice IMHO. There are a number of practical reasons for not > > checking CRLs (Certificate Revocation Lists) all the time, but sending > > cert serial numbers to the CA is not among them. The serial number is > > not secret information (neither is the cert itself of course). If you > > don't trust the CA, then better disable certs entirely, not just CRL > > checking. > > Sending the serial number to the CA allows the CA to guess (with high > probability of being correct) that you are visiting the web page that > they sold the certificate for. This information can be resold to other > companies for marketing purposes (or other reasons). If there is any > money in this, I wouldn't expect Verisign to pass the opportunity up based > on other similar stuff they have done. Even if that's true, it doesn't belie what I just said. If you don't trust the CA, don't use their services at all. There does not exist, and never can exist, a means of securing communication between two parties that don't trust each other unless they both decide to place some level of trust in a third party. CAs are just one way to do that (and clearly they need to get their act together). Web-of-trust mechanisms are another but I don't know of any mainstream browsers that support them. poc -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
