On 10/12/2009 05:19 PM, Daniel Veditz:
The surprise is that it is occasionally possible. I wouldn't characterize it as "easy" or it wouldn't be such a big deal each time someone finds a way to do it. If you know of a bad CA please let us know so we can investigate and remove them from the product if necessary.
It must be understood that some issues can happen, nobody knows that better than our dear developers of the Mozilla software. I think nobody taunts that CA for their null bug, things like that can happen.
It's however total negligence on part of that CA to advertise OCSP in the certificates and not having any means to live up to that promise. Revocation is one of the last defenses CAs have and that's what it's here for. It's also a critical part of any WebTrust audit. This is where the big failure is and I think it requires further investigation.
Besides that, I think despite some wrangling and shuffling, OCSP will be a requirement for any CA pretty soon, the unified standard requirement will make it easier for browser vendors to hard fail.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: [email protected] Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
