It's my understanding that there is a mechanism to automatically get CRL's in IE, but not all CA's use the optional item in the relevant RFC. Verisign used a specific 'well known' URL to host their CRL
X.509 v3 certificates can contain an optional extension called CRL Distribution Point containing a URL to the specific CRL on which that certificate would appear.
VeriSign do use this - take a look at crl.verisign.com in your browser and see how many different CRLs VeriSign have. Each issued certificate points to the CRL where it would be revoked.
a URL is unfortunetly, not 100% reliable.
Agreed. However there are many more things that could go wrong - bad routing, internet traffic, load on the CRL web server, trying to fetch the CRL when you're on a LAN hitting an intranet when you have no Internet access, etc.
Hence Microsoft didn't turn CRL checking on by default for SSL certs.
imagine if between 2000 and 2007 Verisign went bankrupt, got bought by AOL/Time/Warner, or decided to change it's name to 'SuperAwesomeSign.com'? What if the nature of internet addressing chages? Unicode, IPv6,.xxx...
Comodo's own certificate on their server https://secure.comodo.net/ is signed by the GTE CyberTrust Global Root. Geotrust uses the Equifax Secure root CA. Name changes are ugly, but they have happened.
On the other hand, for CRL locations they simply need to put a new URL into new certs, and when the existing install base of certs expire, they can retire the old URL.
To enable server certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for server certificate revocation check box...
And then REBOOT. *cough* How's that for good user interface design?
The point is that it is off by default, and not trivial to enable.
MSIE7+ on Windows Vista will have both OCSP and CRL functioning, and ON BY DEFAULT.
It would be great to see someone write a Firefox extension which merged the CRLs into Firefox
Firefox will download CRLs repeatedly, once you have already done it manually once. Go to crl.verisign.com in Firefox, and click on one of the CRLs. Firefox will import it for you and offer to fetch it periodically.
What Firefox is not doing - yet - is to look for a CRL Distribution Point URL in a certificate and then automatically download the CRL from that location.
Re:Do you even know what SSL certificates are for?
on
SSL Cert Revocation Lists?
·
· Score: 2, Informative
The only point of a third-party signed SSL certificate is so that you can say "OK, I am trying to connect to www.myfavoirtestore.com. Is the data actually coming from there, or am I actually getting data from www.hackersite.com that intercepted the transmission/hijacked the DNS/whatever?".
Aah, but if you connect to www.paypa1.com, such a system would confirm that it legitimately has an SSL certificate for www.paypa1.com but you have no way of knowing who operates www.paypa1.com (assuming you noticed that it was not www.paypal.com). Ditto for www.paypal-secure.com or www.my-paypal.com or www-paypal.com or whatever variation I can think of.
So your philosophy may work for you, but it doesn't work for the general public.
SSL encryption without authentication is like talking to somebody in a private, dark, room where you are sure you can't be overheard - but you can't see who you are talking to.
I'm pretty sure all CAs have OCSP servers. I know mine does.
The SSL cert on secure.comodo.net does not have an AuthorityInformationAccess extension in it with the URI of an OCSP responder. Hence nobody can check it via OCSP. This may mean that Comodo does not have an OCSP server - on the other hand, perhaps they just don't put the URI in every cert.
MSIE7+ on Windows Vista will have OCSP too, and it will be enabled by default. Most likely Firefox will turn it on by default at some point too if they are satisfied it will not "break the internet".
If a CA's OCSP responder goes down, ALL sites using their certificates will be instantly knocked off the web as the browsers will refuse to connect to them.
In South Africa, contracts don't even have to be signed to be binding - all that is required is a (verbal) agreement that a particular document is the binding version of the contract.
So emails could be enforced as contracts even without digital signatures...
Complaining about Rosetta / Launchpad's openness is like complaining about Google not releasing their code. Both provide services, while using OSS to provide the platform.
Canonical may release the Rosetta code at some point, but the benefit will be the database of translations. There's not much point in running Rosetta on two different systems, since the whole benefit is sharing translations among multiple distros and upstream and downstream packages.
That doesn't sound like helping Debian, but forking Debian.
It's no secret that each Ubuntu release is a fork of Debian Unstable. There are only 2 alternatives: Get your patches into Debian itself and use the Debian releases, or fork, and contribute the patches back to Debian. For the sake of speed of release, the second option is what Ubuntu uses.
However, each Ubuntu release is a fresh fork from Sid, with other upstream packages rolled in. So Ubuntu is absolutely relying on Debian, and will continue to do so.
I quite understood it - it just seems like an amateur attempt at marketing.
At the rate Ubuntu is growing in popularity, with NO actual marketing, I think it says something about the marketing industry actually. Why pay somebody a fortune to come up with a weird and wonderful brand and name when all you actually need is a great product?
Talking about putting in a self-destruct, you've gotta make sure it doesn't get triggered if the bot returns to base... or runs out of juice like a meter before it gets back to the controller...
Well, each family member could be a distro. The father could be Fedora, or perhaps RHEL. The mother could be SuSE, the teenage boy could be Gentoo, the daughter could be skolelinux and the baby could be Damn Small Linux...
Tempest shmempest. A much more serious side-channel attack (i.e. an attack that allows one to break encrypted data or protocols through means other than the information transmitted intentionally by the card) is power analysis. This attack is exceedingly effective against many smart cards... is this one protected?
Just run seti@home^H^H^H^Hcard on it during idle times and you'll mask the power consumption!
Slashdot Mirror
Take your pick: GeoTrust
Comodo
Thawte
VeriSign
X.509 v3 certificates can contain an optional extension called CRL Distribution Point containing a URL to the specific CRL on which that certificate would appear.
VeriSign do use this - take a look at crl.verisign.com in your browser and see how many different CRLs VeriSign have. Each issued certificate points to the CRL where it would be revoked.
a URL is unfortunetly, not 100% reliable.
Agreed. However there are many more things that could go wrong - bad routing, internet traffic, load on the CRL web server, trying to fetch the CRL when you're on a LAN hitting an intranet when you have no Internet access, etc.
Hence Microsoft didn't turn CRL checking on by default for SSL certs.
imagine if between 2000 and 2007 Verisign went bankrupt, got bought by AOL/Time/Warner, or decided to change it's name to 'SuperAwesomeSign.com'? What if the nature of internet addressing chages? Unicode, IPv6, .xxx...
Comodo's own certificate on their server https://secure.comodo.net/ is signed by the GTE CyberTrust Global Root. Geotrust uses the Equifax Secure root CA. Name changes are ugly, but they have happened.
On the other hand, for CRL locations they simply need to put a new URL into new certs, and when the existing install base of certs expire, they can retire the old URL.
And then REBOOT. *cough* How's that for good user interface design?
The point is that it is off by default, and not trivial to enable.
MSIE7+ on Windows Vista will have both OCSP and CRL functioning, and ON BY DEFAULT.
Firefox will download CRLs repeatedly, once you have already done it manually once. Go to crl.verisign.com in Firefox, and click on one of the CRLs. Firefox will import it for you and offer to fetch it periodically.
What Firefox is not doing - yet - is to look for a CRL Distribution Point URL in a certificate and then automatically download the CRL from that location.
Aah, but if you connect to www.paypa1.com, such a system would confirm that it legitimately has an SSL certificate for www.paypa1.com but you have no way of knowing who operates www.paypa1.com (assuming you noticed that it was not www.paypal.com). Ditto for www.paypal-secure.com or www.my-paypal.com or www-paypal.com or whatever variation I can think of.
So your philosophy may work for you, but it doesn't work for the general public.
SSL encryption without authentication is like talking to somebody in a private, dark, room where you are sure you can't be overheard - but you can't see who you are talking to.
The SSL cert on secure.comodo.net does not have an AuthorityInformationAccess extension in it with the URI of an OCSP responder. Hence nobody can check it via OCSP. This may mean that Comodo does not have an OCSP server - on the other hand, perhaps they just don't put the URI in every cert.
MSIE7+ on Windows Vista will have OCSP too, and it will be enabled by default. Most likely Firefox will turn it on by default at some point too if they are satisfied it will not "break the internet".
If a CA's OCSP responder goes down, ALL sites using their certificates will be instantly knocked off the web as the browsers will refuse to connect to them.
The famous Blue Sky of Death!
Looking for people like this? http://www.pov.lt/ Of course you may want a different language but I'm sure there are other groups like this...
It's actually Ubuntu Linux customized to run Firefox in full screen mode like a kiosk...
It's actually Ubuntu Linux customized to run Firefox in full screen mode like a kiosk...
In South Africa, contracts don't even have to be signed to be binding - all that is required is a (verbal) agreement that a particular document is the binding version of the contract. So emails could be enforced as contracts even without digital signatures...
The chair in front of the computer will be labelled, "My User"...
Exactly. Like Google or Yahoo. Seen the code to either of those?
Canonical may release the Rosetta code at some point, but the benefit will be the database of translations. There's not much point in running Rosetta on two different systems, since the whole benefit is sharing translations among multiple distros and upstream and downstream packages.
It's no secret that each Ubuntu release is a fork of Debian Unstable. There are only 2 alternatives: Get your patches into Debian itself and use the Debian releases, or fork, and contribute the patches back to Debian. For the sake of speed of release, the second option is what Ubuntu uses.
However, each Ubuntu release is a fresh fork from Sid, with other upstream packages rolled in. So Ubuntu is absolutely relying on Debian, and will continue to do so.
At the rate Ubuntu is growing in popularity, with NO actual marketing, I think it says something about the marketing industry actually. Why pay somebody a fortune to come up with a weird and wonderful brand and name when all you actually need is a great product?
Actually according to Seth Godin, all marketers are liars.
Which was released 2 days ago...
Rock!
See here for mirrors of archive.ubuntu.com - not slashdotted as of a moment ago...
Seen the Distrowatch ranking?
Talking about putting in a self-destruct, you've gotta make sure it doesn't get triggered if the bot returns to base... or runs out of juice like a meter before it gets back to the controller...
Well, each family member could be a distro. The father could be Fedora, or perhaps RHEL. The mother could be SuSE, the teenage boy could be Gentoo, the daughter could be skolelinux and the baby could be Damn Small Linux...
Yes, looks like it is going to be available for download under Creative Commons at some point!
Umm, Diebold make ATMs. Therefore they should make voting machines?
Just run seti@home^H^H^H^Hcard on it during idle times and you'll mask the power consumption!