Microsoft also pushes out CRLs (along with updated CA certs) as part of its monthly Windows Update cycle.
posted on 03/23/2011 7:53:09 PM PDT
Didn’t know that, thanks. Of course, you still need to have CRL checking enabled in the browser for it to do any good.
posted on 03/23/2011 7:56:33 PM PDT
(Stand for life or nothing at all)
Out of curiosity, would it be possible to for new certificates to be bundled with signatures (of the new certificate) signed with any previous certificates that might reasonably be in use, and for browsers to warn any time an attempt is made to access a site for which the browser has a certificate, but which advertises a new certificate that isn't signed by the old one?
If on the first time my machine accesses mywonderfulbank.com, the request gets been intercepted by a site which has a bogus certificate, there'd be no way my machine could catch that, but if my machine had previously accessed the real mywonderfulbank.com and received a certificate, there would be no way a phony certificate could pass muster without a warning.
posted on 03/23/2011 8:28:21 PM PDT
(Barry Soetoro == Bravo Sierra)
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson