[cabfpub] [cabfman] Update of Yngve's BR 1.1 issues + #10

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Fri May 25 19:07:09 UTC 2012


On Fri, 25 May 2012 19:49:43 +0200, Rick Andrews  
<Rick_Andrews at symantec.com> wrote:

> Yngve,
>> The scenario I write about here should be fairly infrequent; preferably  
>> it
>> should never happen. If it should happen, a few seconds delay is not a
>> problem, but we need a hard fail for the site using it.
>
> A few seconds delay *is* a problem. At the CABF Revocation meetings and  
> lists, I've heard several browser vendors complain that CAs take too  
> long to respond to OCSP requests. I doubt anyone would implement  
> hard-fail if they had to wait several seconds to get a response.

I suspect you are confusintg two different cases: The normal case, and the  
abnormal case.

In the normal case, yes, the lookup delay should be as short as possible.  
But this proposal is not about the normal case.

In the abnormal case, when the client is asking for the status of a  
certificate that according to the responder's own databases does not  
exists, and never existed, then a longer delay in order to phone home in  
order to make sure (it might have been issued since the last update from  
home) can be tolerated.

>> Which is generally considered non-fatal by many, if not all, browsers (I
>> seem to recall FF consider such returns fatal). In fact, in the Opera
>> 8.5x/8.6x timeframe we observed this response code from a major CA for  
>> two
>> *weeks*, among several such incidents.
>
> Instead of going to extreme measures like redefining established RFCs,  
> let's just not tolerate such behavior from CAs! The whole point of

That is part of the revocation workgroup goals. And, currently, we don't  
see such failures often, although I did last see an OCSP happen when I was  
booking the hotel for the Governance meeting in April.

However, we are currently dealing with the legacy of those previous  
failures, and the revoked status is AFAIK the only response we can be sure  
all clients treat as a fatal error, and for a fraudulently issued  
certificate it is also the correct response (or will be as soon as the CA  
takes notice)

> Baseline Requirements is to raise the bar for all CAs. IMO, that's more  
> easily achieved than changing RFCs.



-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************



More information about the Public mailing list