[cabfpub] August 1st Deadline for No "Good" Reponse to Non-Issued Certificate

Kelvin Yiu kelviny at exchange.microsoft.com
Fri Jul 19 20:04:21 UTC 2013


I understand the intent of the requirement and I think the idea is logically sound.

As Tom said, the problem is that the requirement does not protect from attackers that are able to use the same serial number as unexpired certificates. When you factor in the requirement for CAs to instaneously update the OCSP server, or make the CA database accessible to the OCSP server, we have to make a security trade off.

The lesson I learned from the Diginotar incident is that network compromises is fact and I believe it is more important to reduce the risk of compromising a CA server by making it as easy as possible to limit the network exposure, than requiring a specific mitigation.

Kelvin

Sent from Windows Phone 8
________________________________
From: Yngve N. Pettersen<mailto:yngve at spec-work.net>
Sent: ‎7/‎19/‎2013 12:36 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] August 1st Deadline for No "Good" Reponse to Non-Issued Certificate


Kelvin, the requirement is there to prevent a CA from responding "this
certificate is not revoked" for a certificate that the CA in question have
absolutely no idea *exists*. The worst possible reason for such a query to
be received is that the CA's issuing system have been compromised, and the
attacker removed all traces of the certificate having been issued, which
is what happened during the DigiNotar incident.

Changing this into a recommendation would mean that browsers would never
be able to reliably determine that a certificate exists and is not
revoked, and there would be no way to prevent a repetition of the
DigiNotar incident.

On Fri, 19 Jul 2013 21:18:14 +0200, Kelvin Yiu
<kelviny at exchange.microsoft.com> wrote:

> My preference is to change the OCSP behavior into a recommendation
> instead of a requirement with no deadline. The problem with moving the
> deadline to January is that CAs are still under pressure to meet the
> requirement. We need to ensure the new deadline takes into account
> sufficient time to obtain sufficient commercial vendor support and for
> CAs to integrate the new software.
>
> We can still work towards resolving the issue according to Ben’s
> proposed timeline, but January 2014 is just too soon to be practical.
>
> Kelvin
>
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Eddy Nigg (StartCom Ltd.)
> Sent: Friday, July 19, 2013 9:48 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] August 1st Deadline for No "Good" Reponse to
> Non-Issued Certificate
>
>
> On 07/19/2013 07:41 PM, From Ben Wilson:
> Should we move the deadline from August 1 to January 1 and request that
> any CA / OCSP software provider with a problem provide us with a
> statement of progress, hurdles to overcome, and/or proposed milestones,
> with a response deadline of October 15 .  Then, based on those responses
> received, if any, we determine whether the deadline should be moved out
> further?
> If there is interest in this proposal, then we should create a new
> ballot and we would need a sponsor and two endorsers.   Also, to the
> extent that the timing of the review and voting periods would extend
> beyond August 1, we would have to suspend the rules in order for voting
> to be completed before August 1.
>
> I would agree with both - e.g. split the ballots into two and the
> January first deadline for OCSP.
>
> Regards
>
>
>
> Signer:
>
> Eddy Nigg, COO/CTO
>
>
>
> StartCom Ltd.<http://www.startcom.org>
>
> XMPP:
>
> startcom at startcom.org<xmpp:startcom at startcom.org>
>
> Blog:
>
> Join the Revolution!<http://blog.startcom.org>
>
> Twitter:
>
> Follow Me<http://twitter.com/eddy_nigg>
>
>
>
>


--
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130719/1e3a053b/attachment-0003.html>


More information about the Public mailing list