S/MIME keys (was: What Are Some Good Projects For Novices?)

[Michael Ströder]

Paul Rubin wrote:
> 
> "Steve Holden" <sholden at holdenweb.com> writes:
> > > Browser CRL checking (at least in MSIE 5.x) works by checking incoming
> > > certificates against a CRL at the CA, from what I understand.
> >
> > That may well be the case, but to check the CRL a browser is under no
> > obligation to report the URL for which the check is being performed. So you
> > can't track people by access to the CRL like DoubleClick do with access to
> > ad graphics (and even that only works when the client sends the "Referer:"
> > HTTP header).
> 
> I'm talking about what browsers actually do, not what they might
> conceivably be programmed to do.  No they don't report the specific
> URL.  But they do have to identify the certificate, which says what
> the host is.  That's generally most of the interesting info.

1. This is highly off-topic here: Followup-To set.

2. The browser downloads sometimes (usually not for each hit) the
CRL as a whole from the CA's repository and examines it to determine
if the server cert was revoked. It does not ask for the validity of
a specific cert. You might be talking about something like OCSP
which is another thing (although some people mess these things up).

Please, since the PKIX stuff is complicated enough try to be as
precise as possible or do not write something about it. Readers
might get confused easily otherwise.

Ciao, Michael.