On Tue, 8 Mar 2016 13:58:21 -0800
Andrew Ayer <a...@andrewayer.name> wrote:

> 2. Forbid OCSP nonces.  OCSP nonces are optional in practice and it's
> always risky to sign arbitrary attacker-controlled data.  Or, limit
> nonces to 32 bytes, which is long enough for an anti-replay nonce
> but probably too short to exploit a chosen-prefix attack.

Addendum: I just noticed that some responders will echo back
attacker-controlled serial numbers of arbitrary length (with a
certificate status of "unknown"), which provides another vector for a
chosen-prefix attack even if nonces are restricted.

To plug this hole, responders could return an unsigned "unauthorized"
response for unknown certificates, as permitted by RFC5019.

dev-security-policy mailing list

Reply via email to