On Sep 8, 7:12 pm, Chris Palmer <[email protected]> wrote: > On Thu, Sep 8, 2011 at 9:33 AM, nlsp <[email protected]> wrote: > > This boils down to whether it is okay to prioritize availability over > > security. > > Availability is a security guarantee just like confidentiality or integrity.
I disagree. To me, security means integrity prevails over availability. > > Still, the actual question remains: does the android browser > > support CRL or OCSP in any form? > > Even desktop Firefox has security.OCSP.require set to false. Read the > Imperial Violet post again carefully. > So there is security.OCSP.require and it can be set true. Good. > > And since CRLs can be cached, it would be perfectly sane to have a > > cached CRL on device for an intermediate that has been compromised, > > They get kind of big. > > > such as currently Diginotar “Staat der Nederlanden *” intermediates. > > And note that removing the Diginotar root from cacerts.bks does not > > help since the intermediates are chained up to a “Staat der > > Nederlanden” root which is not compromised and should remain trusted. > > Actually, no, Staat der Nederlanden is also dead: > > https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow... You’re wrong. I’ve read all that. The *intermediate* is dead. That is, it should be. On android, it is alive and trusted. Not good. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
