From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1A320138247 for ; Thu, 7 Nov 2013 02:17:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 070CBE0B42; Thu, 7 Nov 2013 02:17:13 +0000 (UTC) Received: from mail-ve0-f173.google.com (mail-ve0-f173.google.com [209.85.128.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2590CE0B36 for ; Thu, 7 Nov 2013 02:17:11 +0000 (UTC) Received: by mail-ve0-f173.google.com with SMTP id jw12so260741veb.18 for ; Wed, 06 Nov 2013 18:17:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=h9Cjby265JhfFphmbbPBXhwU9isx/x0AVBBqjBhogAc=; b=pi/nJej3RLzUo+DHOEmP6NPlkzTSAy4Rzlpr7auywIAlH9TLaqye/QyVzikcUqyeps 1QP+G9PXvSshNpecR9/SnBI0AnAiMtL9dushFe/JdFK6Rb1P/6D7FvP2e1Fo53pkGGUe 5af8vaLORPzvwx3Qlu/rt/L4wRVCvqLNT9T4CoVn8mQT3PeFoAkuBloQyRRMwHMkGDtb 9nzYyK3/qvblYL8jTrd1R5FePku/qQdy6STKDqKm0OW0s0eJ4z2sxd79eeS9Xefj9N3+ iWiu8qryR2Hta87SU+pCg939oglC2hNr2RveayjUW7VIJmlb/+tvY0nyaSmbVOExBWGF pinA== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.52.171.198 with SMTP id aw6mr675096vdc.51.1383790631212; Wed, 06 Nov 2013 18:17:11 -0800 (PST) Received: by 10.52.38.161 with HTTP; Wed, 6 Nov 2013 18:17:11 -0800 (PST) In-Reply-To: <527AEEB3.4080109@yahoo.ca> References: <20131105033007.GA23263@linux1> <20131105144915.GM22282@server> <52791F2E.2020704@orlitzky.com> <527A9478.10208@whissi.de> <527AE624.7020201@orlitzky.com> <527AEEB3.4080109@yahoo.ca> Date: Wed, 6 Nov 2013 20:17:11 -0600 Message-ID: Subject: Re: [gentoo-dev] OCSP was: friendly reminder wrt net virtual in init scripts From: Gordon Pettey To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: f314e60e-a065-4cc9-b2cc-979f954c2567 X-Archives-Hash: 406efb7fe215f5c524083d14b0c25f08 On Wed, Nov 6, 2013 at 7:36 PM, Alex Xu wrote: > On 06/11/13 08:00 PM, Michael Orlitzky wrote: >> On 11/06/2013 02:11 PM, Thomas D. wrote: >> >>> This is going OT but I cannot leave this statement uncommented, >>> because from my knowledge this is wrong/you are hiding important >>> information everyone should know about: >> >> I figure everyone here is smart enough to google "OCSP" before >> unchecking the box. This isn't the place to argue that the CA system >> is broken, but I will respond to a few points. > > I figure everyone here is smart enough not to spread knowingly-incorrect > propaganda. >>> Regarding your privacy concerns: No, your OCSP-enabled browser >>> won't share the address (URL) with the OCSP responder. Your browser >>> will use the site's certificate serial number to ask the OCSP >>> responder if the certificate is still valid. Yes, the company who >>> is running the OCSP responder is able to log "You [IP, UA...] >>> requested status for certificates with the serial number 0x1, 0x2, >>> 0x3" and because the OCSP responder needs some basic knowledge >>> about the certificates it should provide answers for, the operator >>> may know that the certificate with the serial number 0x1 has the >>> Common Name (CN) "www.mysecretsite.invalid" and 0x2 was issued for >>> "www.mydarksecrets.invalid" or 0x3 was for "www.facebook.com", but >>> the operator doesn't know the URL you visited. >> >> This is a long way of saying "it sends the address of every website >> you visit to a third party." > > Addresses, in the context of web browsing, are commonly understood to > mean URLs, which include protocol, name, port, and path. > > OCSP only sends the "name" portion. Thus, the statement was a long way > of saying "you are wrong.". A bit of additional consideration: Given the above statement and RFC 2560, OCSP sends the certificate serial, not the name. With the availability of "Wildcard" certificates and the subjectAltName parameter, with many certificates that serial will not let the CA actually know which domain you are visiting.