On 10/10/09 7:47 AM, Alexander Konovalenko wrote:
Why is security.OCSP.require option set to false by default?
Currently there is no requirement that CA's support OCSP for non-EV certificates, so some CA's don't. It would be nice if they then didn't put OCSP URLs into their certs, but some do anyway (aspirational OCSP?). The end result was that in our testing too many sites were unreachable with this setting set to true. However the site owners and our users complained that since it "worked in IE" the blame must lie with Firefox. It's getting much better since most of the largest CA's now offer EV certs and have beefed up their infrastructure. We are working with the CA/Browser forum to make OCSP support a requirement for non-EV certs
Obtaining a rogue certificate for existing website turns out to be surprisingly easy due to poor verification procedures of some CAs.
The surprise is that it is occasionally possible. I wouldn't characterize it as "easy" or it wouldn't be such a big deal each time someone finds a way to do it. If you know of a bad CA please let us know so we can investigate and remove them from the product if necessary.
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
