From owner-freebsd-questions@FreeBSD.ORG Wed Mar 9 13:57:11 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6FDEE106566B for ; Wed, 9 Mar 2011 13:57:11 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id C88F08FC17 for ; Wed, 9 Mar 2011 13:57:10 +0000 (UTC) Received: from russet.local (reflex.squiz.co.uk [83.217.109.164]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id p29Dv0qq048072 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 9 Mar 2011 13:57:06 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p29Dv0qq048072 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1299679026; bh=kkynunKEyunw1JuXjLGtF4+pvU4aYy6ddmOZb3ezf94=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4D778720.9090704@infracaninophile.co.uk>|Date:=20W ed,=2009=20Mar=202011=2013:56:48=20+0000|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20U=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20en-US=3B=20r v:1.9.2.15)=20Gecko/20110303=20Thunderbird/3.1.9|MIME-Version:=201 .0|To:=20freebsd-questions@freebsd.org|Subject:=20Re:=20what=20is= 20the=20=3D?windows-1252?Q?=3D93Online_Certificate_Statu?=3D=0D=0A =20=3D?windows-1252?Q?s_Protocol=3D94?=3D|References:=20<12e99f423 ff.2462355771286561226.-9090912966546650150@zoho.com>|In-Reply-To: =20<12e99f423ff.2462355771286561226.-9090912966546650150@zoho.com> |X-Enigmail-Version:=201.1.1|Content-Type:=20multipart/signed=3B=2 0micalg=3Dpgp-sha1=3B=0D=0A=20protocol=3D"application/pgp-signatur e"=3B=0D=0A=20boundary=3D"------------enig6D3628825125184F106FD829 "; b=0GstPmrU5QgStc7DSd/L4H+RBJ/HU42mcUisYZe+ral7jG1hjEcvHag9i1iAS6hNi AzBDRnoUIJMcvz2fN7gLaxZ14lJ7OH/esZwsNJKFTQfbqNV88HFzvnQ4O6VZMdKKuW uHx84dKyWNjHKINW5e7cEos2xUowJ92q0RxIXwXM= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host reflex.squiz.co.uk [83.217.109.164] claimed to be russet.local Message-ID: <4D778720.9090704@infracaninophile.co.uk> Date: Wed, 09 Mar 2011 13:56:48 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <12e99f423ff.2462355771286561226.-9090912966546650150@zoho.com> In-Reply-To: <12e99f423ff.2462355771286561226.-9090912966546650150@zoho.com> X-Enigmail-Version: 1.1.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig6D3628825125184F106FD829" X-Virus-Scanned: clamav-milter 0.97 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=0.7 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Subject: Re: what is the =?windows-1252?q?=93Online_Certificate_Status_Pro?= =?windows-1252?q?tocol=94?= X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2011 13:57:11 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig6D3628825125184F106FD829 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 09/03/2011 09:30, erikmccaskey64 wrote: > But: with wireshark i can see some "OCSP" packets [ http://en.wikipedia= =2Eorg/wiki/Online_Certificate_Status_Protocol ] >=20 >=20 > Question: What are these packets? Why aren't there in HTTPS? This is your browser trying to check if the SSL certs for the sites you are visiting are still valid. Certs can be cancelled by their issuer before the built-in expiration date for various reasons -- eg. if there has been a security compromise on the server and it is suspected that someone has been able to steal the key and cert. OCSP is one means of checking SSL certificate validity. Another is checking Certificate Revocation Lists issued by CAs. Neither of these require encryption at the network level, as the content that is downloaded is already cryptographically signed. Since it is public knowledge, all the crypto is used for is to authenticate the data, not encrypt it. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig6D3628825125184F106FD829 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk13hycACgkQ8Mjk52CukIzQcgCfXPWTJz8vXiMJwLe7Q+PLpUYF ++8An0HDtotuV4O9dPSD95wTBzyAtTTt =46HT -----END PGP SIGNATURE----- --------------enig6D3628825125184F106FD829--