[cabfpub] SANS Institute Editorial Comment about CABF
Ryan Hurst
ryan.hurst at globalsign.com
Fri Oct 5 18:26:58 UTC 2012
While I agree the text in the post is incorrect (SSL behavior is orthogonal
to code signing behavior) the browsers/os's still do not behave correctly
here.
Most notably by treating authoritative unknown responses from an OCSP
responder the same as a good one, additionally one of the problems inherit
to operating system code signing is that you have to work when there is no
internet as such I believe Authenticode (as an example) will still ignore
network connectivity problems.
Both of these problems can be dealt with better but I do not believe either
are related to the CAB Forum, this is purely about poor behaving clients.
Ryan
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Chris Palmer
Sent: Friday, October 05, 2012 11:02 AM
To: Rick Andrews
Cc: public at cabforum.org
Subject: Re: [cabfpub] SANS Institute Editorial Comment about CABF
On Fri, Oct 5, 2012 at 10:55 AM, Rick Andrews <Rick_Andrews at symantec.com>
wrote:
> Should we as a group respond to this?
Anyone who knows what's going on knows that HTTPS/TLS is not the same as
code signing, and that revocation problems and solutions for one are very
different from revocation problems and solutions for the other. I don't see
a good reason to boost this guy's signal.
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list