On 13-Oct-09, at 2:04 AM, Rob Stradling wrote:
An alternate approach I'd like to lobby our front-end guys on would
be
to put up a scary red bar when we can't validate OCSP.
I think that your suggestion strikes a good balance between security
and
useability.
Sorry I missed this thread - Canadian thanksgiving wreaks havoc on an
inbox.
This piece of this conversation sounds an awful lot like: https://bugzilla.mozilla.org/show_bug.cgi?id=496661
, and in comment 8, I outline my own thinking on the constraints under
which that kind of UI would need to operate. I'm not sure I agree with
Nelson in comment 11, characterizing my reply as a de facto WONTFIX,
but I do feel like it's a hard line to walk. The temptation to attach
UI to this problem sets off "blame the user" alarms for me - do we
think that uses will make better decisions with this information? Like
I say, I don't think we're at WONTFIX on this question, but I don't
think it's an easy problem to solve correctly, either.
As for ipsCA, I find myself agreeing with Eddy's point: that the null
bytes are a regrettable validation error that we should work with
ipsCA to ensure they fix; but NXDOMAIN on an OCSP server that appears
in issued certs is a bigger problem. I'm talking with Frank and
Kathleen about options there. I think contacting the CA and
understanding their situation is certain to be part of it. I think
suspension of their trust bits is a possible outcome, but it's
premature to talk about that before giving ipsCA a full chance to
explain things. We break 6k cert holders if we do that, which I'll
support if we don't have better options, but I don't see that we're
there yet.
Do others really feel like we've exhausted other options or that
attempts to communicate with the CA are fruitless?
Johnathan
---
Johnathan Nightingale
Human Shield
[email protected]
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
