[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal
Gervase Markham
gerv at mozilla.org
Mon Mar 25 10:37:15 UTC 2013
On 23/03/13 05:23, Ryan Sleevi wrote:
> If the CA has issued a valid, signed OCSP response, then they have no
> ability to revoke that certificate for any client that supports
> stapling, until that OCSP response expires.
And if I were an attacker, the very first thing I'd go, on obtaining my
dodgy cert, would be to grab a valid OCSP response for it so I had that
in the bank too.
> Finally, I’m guessing that any short lived cert issuance process is
> going to be totally automatic – machine to machine from CA to
> customer – repeated constantly unless turned off – without human
> intervention unless something goes wrong. I don’t trust automatic
> processes like that – how will the new short lived certs get through
> the customer’s firewalls to be installed, and how will the customer
> be sure the new cert is automatically installed correctly on the
> right servers – so I see potential new vectors for attack (or simple
> screw up).
>
> While understandable that there are technical complexities, the
> CA/Browser Forum should not attempt to prevent new markets or new
> techniques that can improve security - especially when they are
> demonstrably no worse than the existing security guarantees provided to
> relying parties by forum members.
I agree with Ryan that blocking this proposal on these particular
grounds would put us on a very sticky wicket.
Gerv
More information about the Public
mailing list