On 31/08/14 19:44, Brian Smith wrote:
<snip>
You are right that the spec. doesn't talk about the ordering of doing
revocation checking and SCT processing during certificate chain
validation. I believe that the best ordering is to process SCTs, and
reject certificates without SCTs, before doing revocation checking or
path building, especially revocation checking and path building that
requires doing any networking (OCSP fetching and/or AIA chasing),
because this reduces the risks that are inherent in doing that
networking and with doing path building in general. The draft should
be changed to say that.
I've just added http://trac.tools.ietf.org/wg/trans/trac/ticket/50
<snip>
If there are good reasons to ignore SCTs in non-stapled OCSP responses, I'd
like to know about them, and it probably should be mentioned in the RFC.
A browser needs a reliable mechanism for getting SCTs in order for the
browser to be able to make SCTs mandatory. Browsers that make SCT
mandatory would ultimately be what would make CT effective. OCSP
fetching is not reliable, in theory or on practice, so a client cannot
rely on getting SCTs via OCSP fetching. A browser that processed SCTs
in fetched OCSP responses would be encouraging websites to avoid the
reliable mechanisms of SCT delivery in favor of an unreliable
mechanism, causing CT to be unreliable and thus ineffective.
I've just added http://trac.tools.ietf.org/wg/trans/trac/ticket/49
Thanks Brian!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
