IETF Logo Mail Archive

Re: [TLS] New version of Multiple OCSP mode of Certificate Status

Martin Rex <mrex@sap.com> Wed, 04 August 2010 17:47 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 481073A657C; Wed, 4 Aug 2010 10:47:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.578
X-Spam-Level:
X-Spam-Status: No, score=-9.578 tagged_above=-999 required=5 tests=[AWL=0.671, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HTEb8ox72BOz; Wed, 4 Aug 2010 10:47:30 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 133E63A67E6; Wed, 4 Aug 2010 10:47:29 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o74Hlni1028279 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 4 Aug 2010 19:47:50 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201008041747.o74HlmWa004600@fs4113.wdf.sap.corp>
To: yngve@opera.com
Date: Wed, 04 Aug 2010 19:47:48 +0200
In-Reply-To: <op.vgw4c5afvqd7e2@killashandra.oslo.osa> from "Yngve Nysaeter Pettersen" at Aug 4, 10 04:40:07 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] New version of Multiple OCSP mode of Certificate Status
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 17:47:31 -0000

Yngve Nysaeter Pettersen wrote:
> 
> Opera has a 15-20 second timeout for such operations, as well as AIA  
> intermediate CA cert retrieval.

Why is Opera doing something as extremely dangerous as intermediate CA Cert
retrievel based on AIA?

In the original design, the certificate path validation algorithm
described in rfc-5280 works from the trust anchor downwards to the
end entity cert -- which makes a lot of sense security-wise.

Using any information in certificates that have not been verified to
perform resource-intensive operations is a security problem.  But
accessing an arbitrary URL presented in an completely unverified
End-Entity certificate is a "Freddy Krueger" waiting for his next victim. 

-Martin

v2.23.0 | Report a Bug | By Email