[cabfpub] Meta-Issues for EV App Dev Guidelines document (Meta Issue 3)

[Gervase Markham]

On 22/01/13 19:21, Rick Andrews wrote:
> Brian also raised concerns about the EV indicator switching on and off
> and confusing users. Rick agrees that it might be confusing, but asked
> what should happen if a later OCSP fetch failed because an attacker was
> in the middle or had otherwise changed the certificate to a different one?

Surely if it's a different certificate then a revocation check would be
required? I don't think Brian is arguing that if a site presents Cert A
and there's a successful revocation check, and it then presents Cert B
and the OCSP fetch fails, we should rely on the cached "OK" information
from the first check!

AIUI (and he may correct me if I'm wrong, although I know he's very busy
ATM), he is saying that if Cert A passes a check, and then subsequently
a fetch fails, we should assume Cert A continues to be OK for some
period of time. For this to be dangerous, an attacker would need to have
stolen the private key of Cert A from the webserver, and taken control
of the victim's network. But if they have control of the victim's
network, they can reply good OCSP responses up until they expire, at
least. So that gives them several days anyway.

Gerv