On 10/12/09 3:13 AM, Rob Stradling wrote:
Perhaps the time has come for the browsers to "force" all of the other CAs to take their OCSP responsibility seriously, by requiring OCSP by default.
Firefox cannot take that step unilaterally, otherwise _we_ are the broken one in users eyes.
An alternate approach I'd like to lobby our front-end guys on would be to put up a scary red bar when we can't validate OCSP. Users can still get to their sites so they won't ditch us for another browser, site owners are still getting traffic so they won't be breathing down _our_ neck (too much), but the site will look a little scary and link to an explanation so site owners can take the issue up with their CA and users have the opportunity to decide not to submit sensitive data over the connection.
In the longer term we're working with browser vendors and CAs to make OCSP support an understood requirement so that at some point in the future we can block connections when we don't get a positive OCSP response. (We do, of course, block connections when we get an explicit OCSP revocation.)
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
