On Tue, 8 Mar 2016 13:58:21 -0800 Andrew Ayer <a...@andrewayer.name> wrote:
> 2. Forbid OCSP nonces. OCSP nonces are optional in practice and it's > always risky to sign arbitrary attacker-controlled data. Or, limit > nonces to 32 bytes, which is long enough for an anti-replay nonce > but probably too short to exploit a chosen-prefix attack. Addendum: I just noticed that some responders will echo back attacker-controlled serial numbers of arbitrary length (with a certificate status of "unknown"), which provides another vector for a chosen-prefix attack even if nonces are restricted. To plug this hole, responders could return an unsigned "unauthorized" response for unknown certificates, as permitted by RFC5019. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy