Date: Sat, 3 Sep 2016 01:45:48 +0200
From: Patrick Figel <[email protected]>
Subject: Re: Sanctions short of distrust
On 03/09/16 01:15, Matt Palmer wrote:
On Fri, Sep 02, 2016 at 03:48:13PM -0700, John Nagle wrote:
On 09/02/2016 01:04 PM, Patrick Figel wrote:
On 02/09/16 21:14, John Nagle wrote:
2. For certs under this root cert, always check CA's
certificate transparency server. Fail if not found.
To my knowledge, CT does not have any kind of online check
mechanism. SCTs can be embedded in the certificate (at the time
of issuance), delivered as part of the TLS handshake or via OCSP
stapling.
You're supposed to be able to check if a cert is known by querying
an OCSP responder. OCSP stapling is just a faster way to do
that.
...
In addition to these concerns, (and assuming Mozilla would even be
willing to go down that route), I'm not sure how reliable a
Mozilla-operated OCSP responder would be given that the majority of
users who visit sites that use WoSign are probably behind the GFW.
It would probably be necessary to offer an OCSP responder in
China. Mozilla already has a small presence in China. See
https://www.mozilla.org/en-US/contact/spaces/beijing/
So Mozilla can apply for an ICP license, if it doesn't
have one already, and obtain server capacity in China.
John Nagle
SiteTruth
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
