[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Gervase Markham
gerv at mozilla.org
Mon Sep 12 13:27:05 PDT 2011
On 12/09/11 03:53, Rob Stradling wrote:
>> I'd strongly disagree. :-) If someone has tampered with my clock such
>> that I don't notice a certificate has expired, and so I contact an OCSP
>> responder to ask about it, the last thing I want is a "Good" response.
>
> I see your point, but I think equating "Expired" with "Revoked" would be a
> change in semantics that would constitute a "blatant violation".
Less so than equating "Revoked" with "Good"?
> I appreciate that clock accuracy is important. I have a question on that...
> Why should protection against clock inaccuracy be an integral part of the
> revocation checking protocol? Could the suggested Hardened Revocation
> Checking Profile say "Clients MUST have accurate clocks", explain why this is
> so in the "Security Considerations" section, and leave it up to Clients to
> solve the problem?
Er, no. :-) That doesn't sound very Hardened to me. A much simpler
solution is for the revocation to be whitelist-based. Then anything
expired or unknown is marked as bad, no further question.
Gerv
More information about the Observatory
mailing list