They currently check revocation information, just not in the most ideal way.
1) They don’t check intermediates. Fortunately, intermediates are rarely revoked, and a CA can email Mozilla when it happens. 2) They don’t check CRLs, which is one of the reasons the CAB Forum requires CAs to provide OCSP information. 3) They do check end-entity OCSP responses, which all CAs are required to provide. Since every CA provides OCSP, there are assurances that users will be aware when a certificate is revoked. If Mozilla removes OCSP checks, CAs won’t be able to provide revocation information. Although Mozilla will check stapled responses, use of OCSP stapling on servers is low. Even with Mozilla driving clients to OCSP stapling, any transition will take a minimum of two years. FireFox users will be unable to really rely on a certificate until that time. The change also raises questions on how this affects CA practices. Many CAs invested substantially in infrastructure to provide reliable OCSP services. Most of us boast more than a 99.9% uptime with servers distributed throughout the world. What does this mean for CAs who, relying on Mozilla’s checking of OCSP and support of the baseline requirements, established an expensive and geographically diverse infrastructure? Mozilla’s main argument is that revocation checking without hard-fail provides little security. Although I disagree with the premises, if the lack of hard-fail is really the issue, the obvious solution is to turn it on. Most of the CAs would be happy about that. From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of fhw...@gmail.com Sent: Friday, November 08, 2013 11:09 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Mozilla not compliant with RFC 5280 I would hope not! And yet...Firefox has no revocation checking right now (or if you prefer, for the last 17 years). So what's a Firefox user to do...besides not use Firefox? From: Phillip Hallam-Baker Sent: Friday, November 8, 2013 11:51 AM To: Jeremy Rowley Cc: fhw...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Mozilla not compliant with RFC 5280 I don't believe there are any parties who you would want as CAs that support the idea of getting rid of revocation checking. On Fri, Nov 8, 2013 at 9:35 AM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: I imagine every CA would agree with you. OCSP stapling is a great idea, but the number of servers deploying it are very low. I don’t believe any CAs support the idea of getting rid of revocation checking. From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley <mailto:dev-security-policy-bounces%2Bjeremy.rowley> =digicert....@lists.mozilla.org] On Behalf Of fhw...@gmail.com Sent: Friday, November 08, 2013 6:42 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Mozilla not compliant with RFC 5280 I was hoping to see more responses on this issue. Does that mean people agree it's a problem but aren't sure what to do about it? Is it a small problem because Firefox already does OCSP and all the CA's do too? Or...? Thanks. From: fhw...@gmail.com Sent: Friday, November 1, 2013 5:50 PM To: Matthias Hunstock; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Mozilla not compliant with RFC 5280 I think that is correct, Matthias. What's more is that anyone who issues an end-entity cert will be unable to stop FF from using that cert in the future--without OCSP setup--until the expiration date. (I'll need someone to correct me on that.) I gotta believe there are people out there who issue(d) CRL's thinking that they are now protected when in reality they are not. From: Matthias Hunstock Sent: Friday, November 1, 2013 10:46 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Mozilla not compliant with RFC 5280 Am 29.10.2013 19:37, schrieb Kathleen Wilson: > The goal is for the revocation-push mechanism to be used instead of > traditional CRL checking, for reasons described in the wiki page and the > research paper. Everyone with a "self-made" CA will be completely cut off from revocation checking, except there is an OCSP responder? Matthias _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy -- Website: http://hallambaker.com/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
