the problem here is rather than worrying about one particular cert getting compromised, you now have to worry about every CA in the world getting compromised, a much more likely possibility.
It seems the best course of action would be to trust only an individual cert, and check for revocation.
Also OCSP is basicly a joke, it works every single time, except when it matters (an attacker controlling your view of the world)
It seems the best course of action would be to trust only an individual cert, and check for revocation.
Also OCSP is basicly a joke, it works every single time, except when it matters (an attacker controlling your view of the world)