[cabfpub] Must Staple OID
Yngve N. Pettersen (Developer Opera Software ASA)
yngve at opera.com
Tue Oct 2 22:59:54 UTC 2012
I'd like to point out that
6.2 The TLS protocol arguably provides a sufficient degree of protection
against a version number downgrade attack and thus it could be argued
that this particular attribute is unnecessary.
while technically correct, it is currently not correct in practice.
The reason for this is that ~1.5% of TLS servers are version and/or
extension intolerant, forcing clients to "voluntarily" downgrade the TLS
version and/or disable other functionality to be able to access the
server. As Adam Langley from Google have documented, in some cases the
server is not directly responsible for these problems, but devices in the
network of the site.
In relation to this problem I have posted a suggestion for a heuristic
approach to handling the problem, using the TLS Renego Indication
extension as a proxy indication for version tolerance.
http://datatracker.ietf.org/doc/draft-pettersen-tls-version-rollback-removal/
The proposed certificate policy might assist in getting a handle on the
issue by using a different method, but I do wonder if server
administrators that have not upgraded their server to fix a security
vulnerability (and 57% of the unpatched servers are vulnerable to the full
attack) would take action to add such an extension to their certificate.
On Wed, 03 Oct 2012 00:33:19 +0200, Phillip <philliph at comodo.com> wrote:
> I just submitted the draft that I wrote with Rob's input back in May.
>
> We started off with just doing 'must staple'. Then when we looked at the
> problem in a little more detail we started to see a potential version
> downgrade attack on top. So this led to a slightly more general approach
> (but not very).
>
> http://tools.ietf.org/html/draft-hallambaker-tlssecuritypolicy-01
>
>
> On Sep 28, 2012, at 12:12 AM, Jeremy Rowley wrote:
>
>> Hi everyone,
>>
>> One of the items discussed during today’s revocation meeting was the
>> use of a “must staple” OID. Does anyone object to using
>> 2.23.140.16.1? 2.23.140 is the ca-browser-forum, 16 is ocsp, and 1
>> will become “must-staple”.
>>
>> Jeremy Rowley
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 96 90 41 51 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list