On 10/22/2013 09:02 PM, From Kathleen Wilson:
As I mentioned previously, I don't believe the lack of OCSP URI in those EV certificates was causing security risk to end users. Now that OCSP stapling is available, I think we should give Verizon a little bit of time to move their customers to OCSP.
I've been on the sidelines for most of this and other discussions here, however I don't think this is correct at all - if the server doesn't provide a correct stapled response, the browser must still be able to find the OCSP response on its own. Additionally servers usually will use the exact same information to find a valid OCSP response to include as a browser would, and this response must be fairly frequently updated too. Except if the server admin bothers to configure that manually which I doubt over the longer term for most.
There IS a significant risk if a certificate can't be revoked, this isn't just about EV treatment. Stapling or not still requires to provide a source to check for the certificates status independently, both for the server AND in case stapling fails for this or the other reason (outdated, wrong etc.).
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: [email protected] Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
