On Monday 12 October 2009 16:29:23 Daniel Veditz wrote: > On 10/12/09 3:13 AM, Rob Stradling wrote: > > Perhaps the time has come for the browsers to "force" all of the other > > CAs to take their OCSP responsibility seriously, by requiring OCSP by > > default. > > Firefox cannot take that step unilaterally, otherwise _we_ are the > broken one in users eyes.
Indeed. > An alternate approach I'd like to lobby our front-end guys on would be > to put up a scary red bar when we can't validate OCSP. Users can still > get to their sites so they won't ditch us for another browser, site > owners are still getting traffic so they won't be breathing down _our_ > neck (too much), but the site will look a little scary and link to an > explanation so site owners can take the issue up with their CA and users > have the opportunity to decide not to submit sensitive data over the > connection. I think that your suggestion strikes a good balance between security and useability. Currently PSM's "When an OCSP server connection fails, treat the certificate as invalid" checkbox option can be i) checked, for a hard failure on any OCSP protocol error, or ii) unchecked, to ignore all OCSP protocol errors. I suggest retaining both of these options as well as adding your new one, which I suppose would mean changing the current checkbox into 3 radio buttons... "When an OCSP server connection fails: o ignore the problem o show a warning (the new default) o treat the certificate as invalid" > In the longer term we're working with browser vendors and CAs to make > OCSP support an understood requirement so that at some point in the > future we can block connections when we don't get a positive OCSP > response. (We do, of course, block connections when we get an explicit > OCSP revocation.) > _______________________________________________ > dev-security mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security -- Rob Stradling Senior Research & Development Scientist C·O·M·O·D·O - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
