[cabfpub] FW: Short lived OCSP signing certificate

[Ryan Sleevi]

On Thu, Sep 20, 2012 at 3:05 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> +1
>
> A site owner may discard or fail to protect the private key for a cert that they've revoked. By waiting until the cert expires, a malicious insider can take the private key and use it. If clients can't tell the difference between (revoked, then expired) and (expired, never revoked), they should assume the worst case.
>
> -Rick

And if, rather then taking the discarded private key, this malicious
insider simply generated a new key and self-signed certificate, what
then? Should user agents refuse to connect to any of these sites with
untrusted certs?

Attacker will *always* choose the path of least resistance. If an
expired cert generates a hard fail, then they will go to an untrusted
cert. The only thing gained then, for users, is increased frustration
at browsers for making decisions for them, since they "know" the site
is fine.

For "untrusted" certs, for a number of reasons, ranging from cost to
complexity, site operators may decide to use certificates not issued
by one of the CAs participating in this august Forum. When they do so,
they have come to expect, over the past two decades, that the browsers
they use will be able to navigate to such sites, albeit with varying
degrees of "friction".

Sometimes the users and site operators may be fully appraised of the
security considerations of that behaviour, other times they may not
be, but regardless, it's a policy decision being made without the
consultation or configuration of the browsers and CAs that participate
here. Because of this, and because the forum has been opaque for so
long, such operators have continued to operate in this manner such
that it's more or less become standard practice. The cat of "legacy"
has so far sufficiently escaped the bag that changing this behaviour
more or less requires entirely different approaches (such as HSTS,
cert pinning, certificate transparency, and any number of other
schemes that can be used to bootstrap 'fail-closed' in a safe and
predictable manner).

Further, expiration itself has a high false-positive rate. Even major
sites can forget to renew their certificate from time to time.
Suggesting that an unfortunately common, embarassing, "egg on their
face" incident be presented as a critical security incident only
serves to weaken the messaging to users of real security incidents.

While I do think that all of us that participate here are interested
in improving the security landscape for users, I think it's important
to ensure the security considerations are appropriately balanced, and
that the multi-participant nature of such considerations is
recognized. Regrettably, in terms of the Web PKI today, I suspect the
ship on expiration has since sailed.