[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

[Robert Relyea]

On 03/25/2013 03:42 AM, Yngve N. Pettersen wrote:
> On Mon, 25 Mar 2013 11:37:15 +0100, Gervase Markham <gerv at mozilla.org>
> wrote:
>
>> On 23/03/13 05:23, Ryan Sleevi wrote:
>>> If the CA has issued a valid, signed OCSP response, then they have no
>>> ability to revoke that certificate for any client that supports
>>> stapling, until that OCSP response expires.
>> And if I were an attacker, the very first thing I'd go, on obtaining my
>> dodgy cert, would be to grab a valid OCSP response for it so I had that
>> in the bank too.
> This is the reason why I would have preferred that OCSP stapled responses
> had a freshness requirement, meaning that they would have to be refetched
> (and regenerated) every few hours, no matter that it is nominally valid
> for days.
>

The only date that the client can rely on for 'how fresh is this' is the 
date on the OCSP response. Any OCSP response can come from multiple 
sources, and the date that we actually 'fetched' the response is 
irrelevant. The client can't tell if the server has refetched the OCSP 
response or not unless the OCSP response has a fresher date in the 
signed response.

Any plan that assumes the client records or cares when the last time it 
fetched a response is irrelevant. This whole matter is in the hands of 
the CA issuing the OCSP response. If the response is issued to be valid 
for 7 days, it would be extremely difficult for the CA to confidently 
revoke the cert  before the end of the 7 days. Yes many, even most users 
will see the revoked response, but a user under active attack won't see 
the response until the end of the 7 days (as rsleevi has clearly pointed 
out).

bob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4521 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130325/d8a3ab42/attachment-0001.p7s>