Duane wrote:
OCSP is turned off by default in mozilla, because frankly, a lot of
home-grown CAs put out certs that claimed they did OCSP, when they
didn't. So, mozilla would get one of their certs (e.g. from an https
server), try to contact the OCSP server (and fail), and then claim the
cert is revoked (the RIGHT THING to do in that circumstance), much to
the browser user's dismay!
While it might be the right thing to do long term, surely if it fails
ignore the check took place might be the easiest approach,
That approach is vulnerable to an attack. Suppose a bad guy has wrongfully
obtained a copy of another user's private key. The other user has revoked
his own cert, but the bad guy wants to effectively undo the revocation.
So, he poisons some DNS caches, getting them to point to the wrong IP
address, or takes any of a number of actions that cause OCSP requests to
fail for a large number of users.
If the browser silently ignores failed OCSP responses, the bad guy wins.
He has rendered OCSP to be of no value.
There are standards that define the behavior for these cases.
Ignoring the outcome is not one of the allowed behaviors.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
