Re: Mozilla not compliant with RFC 5280

[fhw843]

‎I would hope not! And yet...Firefox has no revocation checking right now (or if you prefer, for the last 17 years). So what's a Firefox user to do...besides not use Firefox?   From: Phillip Hallam-BakerSent: Friday, November 8, 2013 11:51 AMTo: Jeremy RowleyCc: fhw...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.orgSubject: Re: Mozilla not compliant with RFC 5280I don't believe there are any parties who you would want as CAs that support the idea of getting rid of revocation checking.
On Fri, Nov 8, 2013 at 9:35 AM, Jeremy Rowley jeremy.row...@digicert.com wrote:
I imagine every CA would agree with you. OCSP stapling is a great idea, but the number of servers deploying it are very low. I don’t believe any CAs support the idea of getting rid of revocation checking.



From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org] On Behalf Of fhw...@gmail.com

Sent: Friday, November 08, 2013 6:42 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Mozilla not compliant with RFC 5280



I was hoping to see more responses on this issue. Does that mean people agree it's a problem but aren't sure what to do about it? Is it a small problem because Firefox already does OCSP and all the CA's do too? Or...?




Thanks.


From: fhw...@gmail.com

Sent: Friday, November 1, 2013 5:50 PM

To: Matthias Hunstock; mozilla-dev-security-pol...@lists.mozilla.org

Subject: Re: Mozilla not compliant with RFC 5280



I think that is correct, Matthias.



What's more is that anyone who issues an end-entity cert will be unable to stop FF from using that cert in the future--without OCSP setup--until the expiration date. (I'll need someone to correct me on that.)




I gotta believe there are people out there who issue(d) CRL's thinking that they are now protected when in reality they are not.




From: Matthias Hunstock

Sent: Friday, November 1, 2013 10:46 AM

To: mozilla-dev-security-pol...@lists.mozilla.org

Subject: Re: Mozilla not compliant with RFC 5280



Am 29.10.2013 19:37, schrieb Kathleen Wilson:
 The goal is for the revocation-push mechanism to be used instead of
 traditional CRL checking, for reasons described in the wiki page and the
 research paper.

Everyone with a "self-made" CA will be completely cut off from
revocation checking, except there is an OCSP responder?



Matthias
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy





___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
-- Website: http://hallambaker.com/


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Mozilla not compliant with RFC 5280

[Jeremy Rowley]

They currently check revocation information, just not in the most ideal way.  

1)  They don’t check intermediates.  Fortunately, intermediates are rarely 
revoked, and a CA can email Mozilla when it happens.  

2)  They don’t check CRLs, which is one of the reasons the CAB Forum 
requires CAs to provide OCSP information.

3)  They do check end-entity OCSP responses, which all CAs are required to 
provide.

 

Since every CA provides OCSP, there are assurances that users will be aware 
when a certificate is revoked. If Mozilla removes OCSP checks, CAs won’t be 
able to provide revocation information. Although Mozilla will check stapled 
responses, use of OCSP stapling on servers is low.  Even with Mozilla driving 
clients to OCSP stapling, any transition will take a minimum of two years. 
FireFox users will be unable to really rely on a certificate until that time. 

 

The change also raises questions on how this affects CA practices.  Many CAs 
invested substantially in infrastructure to provide reliable OCSP services.  
Most of us boast more than a 99.9% uptime with servers distributed throughout 
the world.  What does this mean for CAs who, relying on Mozilla’s checking of 
OCSP and support of the baseline requirements, established an expensive and 
geographically diverse infrastructure? 

 

Mozilla’s main argument is that revocation checking without hard-fail provides 
little security.  Although I disagree with the premises, if the lack of 
hard-fail is really the issue, the obvious solution is to turn it on. Most of 
the CAs would be happy about that.  

 

From: dev-security-policy 
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
 On Behalf Of fhw...@gmail.com
Sent: Friday, November 08, 2013 11:09 AM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Mozilla not compliant with RFC 5280

 

‎I would hope not! And yet...Firefox has no revocation checking right now (or 
if you prefer, for the last 17 years).

 

So what's a Firefox user to do...besides not use Firefox? 


From: Phillip Hallam-Baker

Sent: Friday, November 8, 2013 11:51 AM

To: Jeremy Rowley

Cc: fhw...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.org

Subject: Re: Mozilla not compliant with RFC 5280

 

I don't believe there are any parties who you would want as CAs that support 
the idea of getting rid of revocation checking.

 

 

 

On Fri, Nov 8, 2013 at 9:35 AM, Jeremy Rowley jeremy.row...@digicert.com 
wrote:

I imagine every CA would agree with you.  OCSP stapling is a great idea, but 
the number of servers deploying it are very low.  I don’t believe any CAs 
support the idea of getting rid of revocation checking.



From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley 
mailto:dev-security-policy-bounces%2Bjeremy.rowley 
=digicert@lists.mozilla.org] On Behalf Of fhw...@gmail.com
Sent: Friday, November 08, 2013 6:42 AM

To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Mozilla not compliant with RFC 5280



I was hoping to see more responses on this issue. Does that mean people agree 
it's a problem but aren't sure what to do about it? Is it a small problem 
because Firefox already does OCSP and all the CA's do too?  Or...?



Thanks.


From: fhw...@gmail.com

Sent: Friday, November 1, 2013 5:50 PM

To: Matthias Hunstock; mozilla-dev-security-pol...@lists.mozilla.org

Subject: Re: Mozilla not compliant with RFC 5280



I think that is correct, Matthias.



What's more is that anyone who issues an end-entity cert will be unable to stop 
FF from using that cert in the future--without OCSP setup--until the expiration 
date. (I'll need someone to correct me on that.)



I gotta believe there are people out there who issue(d) CRL's thinking that 
they are now protected when in reality they are not.




From: Matthias Hunstock

Sent: Friday, November 1, 2013 10:46 AM

To: mozilla-dev-security-pol...@lists.mozilla.org

Subject: Re: Mozilla not compliant with RFC 5280



Am 29.10.2013 19:37, schrieb Kathleen Wilson:
 The goal is for the revocation-push mechanism to be used instead of
 traditional CRL checking, for reasons described in the wiki page and the
 research paper.

Everyone with a self-made CA will be completely cut off from
revocation checking, except there is an OCSP responder?



Matthias
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy





___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy





 

-- 
Website: http://hallambaker.com/





___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy