On 10/10/09 10:47 AM, Alexander Konovalenko wrote:
Why is security.OCSP.require option set to false by default?
Because in practice the OCSP servers most CAs run are completely dysfunctional at worst (e.g. always return HTTP 500) and woefully underpowered at best. Some of them can handle something on the order of 1-2 OCSP requests per second, last it was tested (when AMO ended up down because the CA couldn't handle the OCSP requests for it). So requiring it would actually mean that sites that use OCSP would just stop working (due to the browser effectively executing a DDOS on severs not set up to handle it).
A man-in-the-middle attacker sitting close to the client can easily arrange for the OCSP server to be inaccessible.
Yes, this is a problem. There's no good solution without CAs updating their OCSP setup, or Firefox implementing OCSP stapling, or likely both....
-Boris _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
