[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Mar 23 06:30:01 UTC 2013
On 03/23/2013 02:44 AM, From Ryan Sleevi:
>
> If the browser has obtained a valid OCSP response (eg: via OCSP
> stapling), they can skip obtaining fresh revocation information -
> because to every compliant implementation, it IS fresh revocation
> information.
Let me help you thinking here....in this case there was at least ONE
OCSP check done, whereas in your case it's NONE.
For an attack to be successful you can't rely on the possibility that A)
the victim has visited the site beforehand and B) nothing happened to
the cache and C) the software being used doesn't check OCSP again. This
isn't a reliable attack and too risky of being detected early.
What you propose is the perfect attack with no chance to intervene, very
reliably for 7 days. Usually more than enough for the target.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/c599a4c2/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/c599a4c2/attachment-0001.p7s>
More information about the Public
mailing list