Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/Comodo Misissuance Response: Difference between revisions
Jump to navigation
Jump to search
→Changes to Firefox
No edit summary |
|||
| Line 61: | Line 61: | ||
* Turn on OCSP "hard fail" by default for everything. | * Turn on OCSP "hard fail" by default for everything. | ||
* Turn on OCSP "hard fail" just for EV (currently, we have a soft-fail - EV is downgraded to DV if OCSP fails). | * Turn on OCSP "hard fail" just for EV (currently, we have a soft-fail - EV is downgraded to DV if OCSP fails). | ||
* Change it so that an OCSP failure is a hard failure if the site is using [http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS]. Note that | * Change it so that an OCSP failure is a hard failure if the site is using [http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS]. Note that [http://www.ietf.org/mail-archive/web/websec/current/msg00296.html Chrome is moving in the opposite direction] for site uptime reasons. | ||
OCSP improvement solutions would need to deal with protocol problems such as the current ability to [http://thoughtcrime.org/papers/ocsp-attack.pdf return "try again later"], as well as the uptime objections raised by large sites. They would also need to deal with issues like captive portals on WiFi hotspots where the login page is SSL-protected, and scenarios around proxy auth. | OCSP improvement solutions would need to deal with protocol problems such as the current ability to [http://thoughtcrime.org/papers/ocsp-attack.pdf return "try again later"], as well as the uptime objections raised by large sites. They would also need to deal with issues like captive portals on WiFi hotspots where the login page is SSL-protected, and scenarios around proxy auth. | ||