Hmm. That hints that the logging wasn't turned on by default, but I would prefer a confirmation from the CAs and a definitive policy from Mozilla.
Or considering the momentum on the Do-Not-Track proposal, have a CA policy that says "Do not log if the OCSP request has a DNT:1" ? thanks devdatta On 6 September 2011 11:11, Ian G <[email protected]> wrote: > Related but not exactly on point: > > ========== > The rogue certificate found by Google was issued by the DigiNotar Public CA > 2025. The serial number of the certificate was, however, not found in the CA > system"s records. This leads to the conclusion that it is unknown how many > certificates were issued without any record present. In order to identify > these unknown certificates and to prevent them from being used by victims, > the OCSP responder2 requests were monitored. > ========== > From the Fox-IT report on DigiNotar: > http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html > > iang > > On 6/09/11 12:48 PM, Devdatta Akhawe wrote: >> >> Hi folks >> >> I was surprised to note that DigiNotar had a log of all IPs who had >> requested an OCSP lookup for the bad certs. This seems like a very bad >> idea on the OCSP server's part. Does Mozilla have a policy on such >> behavior (maybe this question should be on dev.security.policy) ? I >> feel like CAs should be explicitly told (by Mozilla) to not log OCSP >> requests. >> >> Additionally, one thing I noticed was that if I visit >> https://www.secure.com in private browsing mode; Firefox makes a OCSP >> request. After closing private browsing mode and going back to the >> normal mode, if I go to https://www.secure.com then Firefox caches the >> OCSP responses and doesn't make a new OCSP request. This seems like a >> leak of information that should be disabled. What do others think? >> Thankfully, if I close Firefox after private browsing mode, then >> Firefox doesn't cache the OCSP response. >> >> >> -Devdatta >> _______________________________________________ >> dev-security mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security > > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
