[cabfpub] Certificate lifetimes: end state or trajectory?
Rich Smith
richard.smith at comodo.com
Fri Mar 10 16:15:34 UTC 2017
You can make the move to hard fail any time you like.
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Friday, March 10, 2017 6:37 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public
Discussion List <public at cabforum.org>; Phillip Hallam-Baker
<philliph at comodo.com>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Certificate lifetimes: end state or trajectory?
On 03/03/17 20:34, Kirk Hall wrote:
> Gerv - on the issue of revocation checking, not everyone is asking for
> browsers to turn on hard fail if the browser fails to get a response
> to a revocation query in a reasonable time.. We would be very happy
> to continue with soft fail - but please, turn on revocation checking
> again. Even if the browser doesn't get a timely response in (say) 10%
> of queries, if it does receive a response "revoked" in the other 90%
> of queries, and displays that to users, that would be a great increase
> in user security.
As noted by Adam Langley, "[S]oft-fail revocation checks are like a
seat-belt that snaps when you crash. Even though it works 99% of the time,
it's worthless because it only works when you don't need it."
https://www.imperialviolet.org/2012/02/05/crlsets.html
This is because "[A]n attacker who can intercept HTTPS connections [so as to
use their bad cert for an MITM] can also make online revocation checks
appear to fail and so bypass the revocation checks."
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list