> Hmm. That hints that the logging wasn't turned on by default, but I > would prefer a confirmation from the CAs and a definitive policy from > Mozilla. > > Or considering the momentum on the Do-Not-Track proposal, have a CA > policy that says "Do not log if the OCSP request has a DNT:1" ?
With all due respect, I think this is a terrible idea. The CA has a legitimate interest in tracking hits, to monitor load and detect possible attacks. I think what you're trying to do is to prevent privacy loss, but there are better ways to do that without tying the CA's hands. -Rick Andrews > On 6 September 2011 11:11, Ian G <[email protected]> wrote: >> Related but not exactly on point: >> >> ========== >> The rogue certificate found by Google was issued by the DigiNotar Public CA >> 2025. The serial number of the certificate was, however, not found in the CA >> system"s records. This leads to the conclusion that it is unknown how many >> certificates were issued without any record present. In order to identify >> these unknown certificates and to prevent them from being used by victims, >> the OCSP responder2 requests were monitored. >> ========== >> From the Fox-IT report on DigiNotar: >> http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html >> >> iang >> >> On 6/09/11 12:48 PM, Devdatta Akhawe wrote: >>> >>> Hi folks >>> >>> I was surprised to note that DigiNotar had a log of all IPs who had >>> requested an OCSP lookup for the bad certs. This seems like a very bad >>> idea on the OCSP server's part. Does Mozilla have a policy on such >>> behavior (maybe this question should be on dev.security.policy) ? I >>> feel like CAs should be explicitly told (by Mozilla) to not log OCSP >>> requests. >>> >>> Additionally, one thing I noticed was that if I visit >>> https://www.secure.com in private browsing mode; Firefox makes a OCSP >>> request. After closing private browsing mode and going back to the >>> normal mode, if I go to https://www.secure.com then Firefox caches the >>> OCSP responses and doesn't make a new OCSP request. This seems like a >>> leak of information that should be disabled. What do others think? >>> Thankfully, if I close Firefox after private browsing mode, then >>> Firefox doesn't cache the OCSP response. >>> >>> >>> -Devdatta _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
