This is trivially detectable, and doesn't need to be addressed via any CA/B
Forum work.
This particular threat model is already part of other browser certificate
uses (e.g. HTTP Signed Exchanges) and already something (some) browsers
monitor. As Peter Bowen mentions, OCSP and CRLs are just as equa
I had thought that the OCSP privacy concerns were among the reasons for the
general decline in OCSP queries issued by browsers. In addition, part of
the rationale for development and encouragement of deployment of OCSP
stapling.
On Wed, Dec 4, 2019 at 6:12 PM Peter Bowen wrote:
> Why not use OC
Why not use OCSP?
On Wed, Dec 4, 2019 at 3:52 PM Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Not that anyone is presently doing or would do such a thing, but...
>
> Imagine a CA that wanted to offer up a user/browser tracking service to
> their subsc
Not that anyone is presently doing or would do such a thing, but...
Imagine a CA that wanted to offer up a user/browser tracking service to
their subscriber customer.
Is there any rule that prevents an issuing CA from having a "custom"
(hiding an identifier for the end-entity certificate) AIA URL
Yes, I am one of the ones who actively disputes the notion that AIA
considered harmful.
I'm (plesantly) surprised that any CA would be opposed to AIA (i.e.
supportive of "considered harmful", since it's inherently what gives them
the flexibility to make their many design mistakes in their PKI and
Someone really should write up "AIA chasing considered harmful". It was
disputed at the TLS session at IETF 105, which shows that the reasoning
behind it is not as widely understood as it needs to be, even among TLS
experts.
I'm very appreciative of Firefox's efforts in this area. Leveraging the
All,
Section 5.1 has been added to the CCADB Policy.
https://www.ccadb.org/policy#51-audit-statement-content
Please let me know if you see any problems with the addition.
Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@list
7 matches
Mail list logo
