Hi, On 02/06/2012 08:18 PM, Hanno Böck wrote: > Seems google noted that using OCSP and not rejecting certificates on > connection failure doesn't make much sense: > http://www.imperialviolet.org/2012/02/05/crlsets.html > > So they decided that they'll probably disable OCSP altogether. Not sure > what I should think of it (seriously, they're probably right to disable > something that is broken anyway).
I like the reasoning but would reach slightly different conclusions. Mainly because I don't think OCSP is so broken we should turn it off. Unless your attacker is so strong he can control and suppress your IP traffic right at your gateway, OCSP will still work. They are right about the soft-fail, however. So I guess OCSP + stapling would be better, and it may be the more viable solution. I also hesitate because moving the revocation part into the browser updates doesn't seem very scalable. It will help by adding revocation info for important sites, sure, but where do you draw the line? How many sites do you want to add and monitor as a browser vendor? What about open source browsers - are they supposed to follow this lead and track revocations for x sites, by crawling the Web as Google can do? What about the many revocations that come without a reason (that might actually be the majority) - how should they be treated? And finally, will CAs be happy to comply here? Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
