On 21/04/14 01:12 PM, Phillip Hallam-Baker wrote: > Given the current Heartbleed situation, wouldn't it be appropriate to > turn on hard fail for revocation checking so that unknown status > results in the cert being rejected.
Using hard fail for revocation checking means a DoS of *many* sites just requires a DoS of the OCSP server. These servers are often pretty flaky too. > I am seeing people suggest that a CA be dropped from the root for > their alleged improper handling of revocation. If revocation matters > so much that it must be enforced on CAs then it matters enough to turn > on hardfail for a major server coding error. https://www.imperialviolet.org/2014/04/19/revchecking.html > Every platform is vulnerable because the server key can be extracted > in certain situations. A browser does not need to use OpenSSL to be > vulnerable to the OpenSSL bug.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
