Assume revocation of certificates is handled in the following way: when a user B

Question

Assume revocation of certificates is handled in the following way: when a user Bob claims that the private key corresponding to the public key pk_B has been stolen, the user sends to the CA a statement of this fact signed with respect to pk_B. Upon receiving such a signed message, the CA revokes the appropriate certificate. Explain why it is not necessary for the CA to check Bob's identity in this case. In particular, explain why it is of no concern that an adversary who has stolen Bob's private key can forge signatures with respect to pk_B.

Explanation / Answer

This is because of OCSP stapling with SSL. The OCSP Response is signed to ensure that it has not been modified before being sent back to the CA and this is the technique which has very less chances to be tampered with although there are some disadvantages of the same which are:

It is still not supported by many browsers . This results in either the OCSP validity method not being used or standard OCSP being used instead.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.