Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 09 Mar 2011 13:56:48 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Re: what is the =?windows-1252?q?=93Online_Certificate_Status_Pro?= =?windows-1252?q?tocol=94?=
Message-ID:  <4D778720.9090704@infracaninophile.co.uk>
In-Reply-To: <12e99f423ff.2462355771286561226.-9090912966546650150@zoho.com>
References:  <12e99f423ff.2462355771286561226.-9090912966546650150@zoho.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6D3628825125184F106FD829
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 09/03/2011 09:30, erikmccaskey64 wrote:
> But: with wireshark i can see some "OCSP" packets [ http://en.wikipedia=
=2Eorg/wiki/Online_Certificate_Status_Protocol ]
>=20
>=20
> Question: What are these packets? Why aren't there in HTTPS?

This is your browser trying to check if the SSL certs for the sites you
are visiting are still valid.  Certs can be cancelled by their issuer
before the built-in expiration date for various reasons -- eg. if there
has been a security compromise on the server and it is suspected that
someone has been able to steal the key and cert.

OCSP is one means of checking SSL certificate validity.  Another is
checking Certificate Revocation Lists issued by CAs.  Neither of these
require encryption at the network level, as the content that is
downloaded is already cryptographically signed.  Since it is public
knowledge, all the crypto is used for is to authenticate the data, not
encrypt it.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig6D3628825125184F106FD829
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk13hycACgkQ8Mjk52CukIzQcgCfXPWTJz8vXiMJwLe7Q+PLpUYF
++8An0HDtotuV4O9dPSD95wTBzyAtTTt
=46HT
-----END PGP SIGNATURE-----

--------------enig6D3628825125184F106FD829--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D778720.9090704>