:39 PM
To: fhw...@gmail.com; dev-security-policy@lists.mozilla.org
Subject: Re: Turn on hardfail?
I'm talking about the DoS vulnerability opened up by making a few OCSP
servers a single point of failure for *many* sites.
It's also not great that you have to let certificate authorities know
about
If there was a DoS attack it would be the first and the last.
OCSP is only a DoS issue for servers that don't staple. All modern
servers can staple if configured to do so. Further it is only the
weaker CAs that don't have DoS proof OCSP service.
So if there was a DoS attack we would see a sudden
requires a DoS of the OCSP server. These servers are often pretty flaky too.
I am seeing people suggest that a CA be dropped from the root for
their alleged improper handling of revocation. If revocation matters
so much that it must be enforced on CAs then it matters enough to turn
on hardfail
suggest that a CA be dropped from the root for
their alleged improper handling of revocation. If revocation matters
so much that it must be enforced on CAs then it matters enough to turn
on hardfail for a major server coding error.
Every platform is vulnerable because the server key can
4 matches
Mail list logo
