On 10/13/2009 06:23 PM, Johnathan Nightingale:
As for ipsCA, I find myself agreeing with Eddy's point: that the null
bytes are a regrettable validation error that we should work with
ipsCA to ensure they fix; but NXDOMAIN on an OCSP server that appears
in issued certs is a bigger problem. I'm talking with Frank and
Kathleen about options there. I think contacting the CA and
understanding their situation is certain to be part of it. I think
suspension of their trust bits is a possible outcome, but it's
premature to talk about that before giving ipsCA a full chance to
explain things. We break 6k cert holders if we do that, which I'll
support if we don't have better options, but I don't see that we're
there yet.
Do others really feel like we've exhausted other options or that
attempts to communicate with the CA are fruitless?
I'd like to make two practical suggestions:
A) Follow up with CRLDP finally at Firefox and implement a fail-over
mechanism in case OCSP is down. For example StartCom has multiple
CRLDP's at different locations for such cases. That's also important for
us in case of a disaster (and recovery). Obviously it's of little help
in case the software ignores it. Also obviously this doesn't allow for
the current situation, it's primarily for unfortunate cases which can
happen for a short time. This leads me to the second suggestion...
B) File a bug for tracking ipsCA's conduct including the \0 bug and its
resolution, request follow-up with the next audit which covers the
period July-October 2009 (e.g. audit of the year 2009). Perform a review
discussion as we do for including a CA as soon as the audit report is
available. This should be processed at a higher priority than regular
inclusion requests.
#B is important because we are already month after the alleged bug
happened, plenty of time to get the act together. I think this warrants
some actions, a review and renewed confirmation of compliance might be a
good thing to do in this case.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: [email protected]
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
