OK, sure. Short answer is that I'm not that concerned--at least I don't think I'm that concerned.
Regarding single points of failure, I think we'll need to rely on domain owners and server admins to put pressure on their CA's to make sure the system availability for the OCSP responders is 99.9% and higher. Some CA's have already done that and the others will have to follow suit. Regarding privacy, I come down on the cynical side and argue that there is no privacy anyway. Your ISP knows your habits, your government knows your habits, Google definitely knows your habits, hundreds of other sites try to identify your habits. From that standpoint having a CA know your habits is not a significant erosion of privacy. For that matter I wouldn't be surprised if some CAs already collect and sell that information. (We could always ask them!) I would just add that the OCSP stapling approach does clearly help in both regards so it's probably a good idea for some of the main Internet destinations to have that. However even stapling is not a perfect answer to either point of failure nor privacy concerns. Original Message From: Daniel Micay Sent: Wednesday, April 23, 2014 11:39 PM To: [email protected]; [email protected] Subject: Re: Turn on hardfail? I'm talking about the DoS vulnerability opened up by making a few OCSP servers a single point of failure for *many* sites. It's also not great that you have to let certificate authorities know about your browsing habits. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
