On 09/02/2016 07:02 PM, Nick Lamb wrote:
On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote:
Lets speak about relying parties - how does this bug affect you?
As a relying party I am entitled to assume that there is no more than one
certificate signed by a particular issuer with a certain serial number. If I
have seen this certificate and verified by whatever means I choose that it's
OK, then I can safely assume that any time I see a certificate in the future
signed by that issuer with that same serial number it's the same one, and skip
the verification process.
Well, according to the CA policies and relying party terms, you should
always check with the CRL or OCSP responders if a certificate is
considered valid or not. So the verification process shouldn't be
skipped beyond the advertised refresh time (in CRLs/OCSP).
Of course if you do some sort of certificate pinning based on serial and
issuer, than this wouldn't work. But I'm not aware of any common
software that doesn't use the certificate's public key for pinning and
relies just on a serial numbers.
--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: start...@startcom.org <xmpp:start...@startcom.org>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
