Full Disclosure: Re: PGP vs. certificate from Verisign

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: PGP vs. certificate from Verisign

From: Jason <security () brvenik com>
Date: Sat, 10 May 2003 15:55:30 -0400


yossarian wrote:

What I wonder - will Verisign have set up CRL servers yet? Remember the IE
problem when someone got hold of MS certificates? The MS-fix was
blacklisting them locally, the real problem was that there was no revocation
servers. Then again, how many concurrent connections would they get if MS
sent out a critical update?

So - stick to PGP - forget about PKI.

IIRC, the problem was not that Verisign could not revoke the keys it wasthat IE had no way of checking the revocation status, It was a MSimplementation problem not a problem with the issuing authority. Thishas been resolved in IE ( in some places ) and you can now enable therevocation checking however it is not enabled by default.


Google provided a good place to brush up on the incident.
http://www.amug.org/~glguerin/opinion/revocation.html


[snip] ...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Re: [OFFTOPIC] PGP vs. certificate from Verisign, (continued)
- RE: PGP vs. certificate from Verisign Evans, TJ (BearingPoint) (May 09)
  - Re: PGP vs. certificate from Verisign yossarian (May 09)
    - Re: PGP vs. certificate from Verisign Jason (May 10)
    - Re: PGP vs. certificate from Verisign yossarian (May 10)
    - Re: PGP vs. certificate from Verisign Jason (May 10)
    - Re: PGP vs. certificate from Verisign yossarian (May 10)
    - Re: PGP vs. certificate from Verisign Shawn McMahon (May 11)
    - Re: PGP vs. certificate from Verisign yossarian (May 12)