On Thu, Sep 8, 2011 at 9:33 AM, nlsp <niels.po...@gmail.com> wrote: > This boils down to whether it is okay to prioritize availability over > security.
Availability is a security guarantee just like confidentiality or integrity. > Still, the actual question remains: does the android browser > support CRL or OCSP in any form? Even desktop Firefox has security.OCSP.require set to false. Read the Imperial Violet post again carefully. > And since CRLs can be cached, it would be perfectly sane to have a > cached CRL on device for an intermediate that has been compromised, They get kind of big. > such as currently Diginotar “Staat der Nederlanden *” intermediates. > And note that removing the Diginotar root from cacerts.bks does not > help since the intermediates are chained up to a “Staat der > Nederlanden” root which is not compromised and should remain trusted. Actually, no, Staat der Nederlanden is also dead: https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
