On Saturday 10 October 2009 16:05:32 Boris Zbarsky wrote: > On 10/10/09 10:47 AM, Alexander Konovalenko wrote: > > Why is security.OCSP.require option set to false by default? > > Because in practice the OCSP servers most CAs run are completely > dysfunctional at worst (e.g. always return HTTP 500) and woefully > underpowered at best.
Boris, what you've described is certainly true of some CAs. However, I disagree with your claim that "most CAs" are that incompetent. Comodo's OCSP Responder infrastructure handles many hundreds of OCSP requests per second. We are confident that our current servers could easily handle several times as much traffic, and we can easily add more servers when we need to increase the capacity still further. VeriSign claim to handle over one billion OCSP requests per day. If their servers are "woefully underpowered", surely we'd have heard about it by now!? Perhaps the time has come for the browsers to "force" all of the other CAs to take their OCSP responsibility seriously, by requiring OCSP by default. > Some of them can handle something on the order of > 1-2 OCSP requests per second, last it was tested (when AMO ended up down > because the CA couldn't handle the OCSP requests for it). The EV Guidelines say that "The CA MUST operate and maintain its CRL and/or OCSP capability with resources sufficient to provide a commercially-reasonable response time for the number of queries generated by all of the EV Certificates issued by the CA". That CA clearly fell short of this requirement. > So requiring it would actually mean that sites that use OCSP would just stop > working (due to the browser effectively executing a DDOS on severs not set > up to handle it). > > > A man-in-the-middle attacker sitting close to the client can easily > > arrange for the OCSP server to be inaccessible. > > Yes, this is a problem. There's no good solution without CAs updating > their OCSP setup, or Firefox implementing OCSP stapling, or likely both.... > > -Boris > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security -- Rob Stradling Senior Research & Development Scientist C·O·M·O·D·O - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security