On 13/10/2009 15:54, Gervase Markham wrote:
Firefox uses OCSP but, by default, any response other than a definite
"is revoked" response is treated as "is not revoked". There is a user
pref that allows the user to change that, so that any response other
than "is not revoked" is treated as "is revoked".
IMO, we need to be smarter about that.
Here's a straw man:
My view: I would defer any "smarter" things that reduce customer
usability until (a) everyone has OCSP really well worked throughout,
end-to-end ... and (b) we see some actual evidence that suggests that
the risk of an OCSP interference is something worth worrying about.
By far the number one threat to PKI is denial of service. That is, it
denies service to users, and users go elsewhere, and are then
unprotected. As the number one threat that PKI could help with is
secure browsing, if it was widely deployed, and secure browsing is
resulting in billion dollar losses ... it is far more important to
spread usage of certificates than to make them secure against imagined
and theoretical bogeymen.
That's just me :)
iang
OK:
200 response with OK
No response (network problems)
Not OK:
200 response with revocation
400 response (OCSP responder actively denying response)
500 response (OCSP responder broken)
What do people think? Putting 400 and 500 in "not OK" makes it harder to
inject a failure in order to get Firefox to pass a cert. Although one
can still inject an OCSP tryLater <sigh>.
Gerv
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
