OpenID/Debian PRNG/DNS Cache poisoning advisory

Paul Hoffman paul.hoffman at
Fri Aug 8 15:35:43 EDT 2008

At 1:47 PM -0500 8/8/08, Nicolas Williams wrote:
>On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote:
>>  The kerberos style of having credentials expire very quickly is one
>>  (somewhat less imperfect) way to deal with such things, but it is far
>>  from perfect and it could not be done for the ad-hoc certificate
>>  system https: depends on -- the infrastructure for refreshing all the
>>  world's certs every eight hours doesn't exist, and if it did imagine
>>  the chaos if it failed for a major CA one fine morning.
>The PKIX moral equivalent of Kerberos V tickets would be OCSP Responses.
>I understand most current browsers support OCSP.

...and only a tiny number of CAs do so.

--Paul Hoffman, Director
--VPN Consortium

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list