Gerv, have you read the current "security.OCSP.require in Firefox" thread on mozilla.dev.security?
Daniel Veditz said yesterday... "An alternate approach I'd like to lobby our front-end guys on would be to put up a scary red bar when we can't validate OCSP. Users can still get to their sites so they won't ditch us for another browser, site owners are still getting traffic so they won't be breathing down _our_ neck (too much), but the site will look a little scary and link to an explanation so site owners can take the issue up with their CA and users have the opportunity to decide not to submit sensitive data over the connection." This morning I suggested changing the boolean user pref of which you speak into 3 radio buttons: "When an OCSP server connection fails: o ignore the problem o show a warning (the new default) o treat the certificate as invalid" So rather than just "OK" and "Not OK", I'd like to see 3 categories: 1. OK. Continue to download and display the webpage. 2. Maybe OK. Display a warning message about problems with the response from, or problems accessing, the CA's OCSP Responder. Continue to download and display the webpage. 3. Not OK. Display a message that the certificate is revoked. Block access to the webpage. "Maybe OK" would be treated as "OK" if "ignore the problem" is selected, or as "Not OK" if "treat the certificate as invalid" is selected. I would treat No Response, 400 response, 500 response and "tryLater" as "Maybe OK"s. On Tuesday 13 October 2009 14:54:01 Gervase Markham wrote: > Firefox uses OCSP but, by default, any response other than a definite > "is revoked" response is treated as "is not revoked". There is a user > pref that allows the user to change that, so that any response other > than "is not revoked" is treated as "is revoked". > > IMO, we need to be smarter about that. > Here's a straw man: > > OK: > 200 response with OK > No response (network problems) > > Not OK: > 200 response with revocation > 400 response (OCSP responder actively denying response) > 500 response (OCSP responder broken) > > What do people think? Putting 400 and 500 in "not OK" makes it harder to > inject a failure in order to get Firefox to pass a cert. Although one > can still inject an OCSP tryLater <sigh>. > > Gerv -- Rob Stradling Senior Research & Development Scientist C·O·M·O·D·O - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
