Timeline for What is the most secure way to do OCSP signing without creating validation loops?
Current License: CC BY-SA 3.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 9, 2012 at 9:54 | vote | accept | makerofthings7 | ||
| Dec 9, 2012 at 9:55 | |||||
| Jun 3, 2012 at 17:22 | comment | added | D.W. | "Threat model" just means: What kind of attacker are you trying to defend against? (e.g., what motivation, what skills, what access, what capabilities, etc.) Or, what kind of attacks are you trying to defend against? And, what attacks/attackers are out of scope? In the web world, there are a few standard threat models: (1) network attacker (a man-in-the-middle, so the attacker has full control over your network), (2) web attacker (attacker can set up a malicious website and lure the user to it, but cannot play man-in-the-middle or send spoofed network packets). | |
| Jun 3, 2012 at 17:20 | history | edited | D.W. | CC BY-SA 3.0 | deleted 172 characters in body |
| Jun 3, 2012 at 6:54 | comment | added | makerofthings7 | Corrected typo "expired" vs "revoked" - Thanks! | |
| Jun 3, 2012 at 6:53 | comment | added | makerofthings7 | I need to learn how to discuss things in terms of a threat model. Any tips? I was thinking of PKI-based apps in general such as IE, AD Auth with smart cards, Exchange S/MIME, .NET Code validation. (Yes I'm aware that my "in general" was limited to MSFT there, but I want to include more than just web :)) | |
| Jun 3, 2012 at 4:14 | history | answered | D.W. | CC BY-SA 3.0 |