IETF Logo Mail Archive

Re: [TLS] New version of Multiple OCSP mode of Certificate Status

Adam Langley <agl@imperialviolet.org> Wed, 04 August 2010 18:01 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE72B3A657C; Wed, 4 Aug 2010 11:01:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSC9ZztVgJhT; Wed, 4 Aug 2010 11:01:25 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 931343A68CD; Wed, 4 Aug 2010 11:01:25 -0700 (PDT)
Received: by vws10 with SMTP id 10so4599121vws.31 for <multiple recipients>; Wed, 04 Aug 2010 11:01:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=gbPhD4oBqgn9jqFkojxgqGEdsEqPIAtdLjc/RvYPmG4=; b=cZC9EFqWgn7sxC55TSUZeBoyOKTu3I8v90qY0jNN7xa3Qj5OXFVg5to8V0aqcs47S1 DZ5A+IeCO8RaavP9cM5BHQhpp7MefF5DcchUwiql1x7HSswLZCu8MH0w3flrSTFKCj1a DrEM77W8MFHCS+ROaJG+ikf5/CGNsG5fbdmyM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=O0W2eg5TIx8dgnPNxOY+YxRe2MSBqtZra652k71zL/Q5DwtXDDxeJp1NGMfUlsipe2 ICxL+Rr3gYI/3sng/qKO/xHgpyxK0xPq41dlcpeq7POjleNxz8ZLlfhM1+Tgq2MHzEfy KsUrXwxRbvavrutiPUk6c5aMqZV4uejZxHhBs=
MIME-Version: 1.0
Received: by 10.220.88.167 with SMTP id a39mr6506921vcm.73.1280944914716; Wed, 04 Aug 2010 11:01:54 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.220.81.11 with HTTP; Wed, 4 Aug 2010 11:01:54 -0700 (PDT)
In-Reply-To: <201008041747.o74HlmWa004600@fs4113.wdf.sap.corp>
References: <op.vgw4c5afvqd7e2@killashandra.oslo.osa> <201008041747.o74HlmWa004600@fs4113.wdf.sap.corp>
Date: Wed, 04 Aug 2010 14:01:54 -0400
X-Google-Sender-Auth: m74iR-UBBtVJX1-9fmONVOXjfYs
Message-ID: <AANLkTik-p__N7mCE2ARwV=C3GD99ahOjZEYFR84zUTiG@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] New version of Multiple OCSP mode of Certificate Status
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 18:01:27 -0000

On Wed, Aug 4, 2010 at 1:47 PM, Martin Rex <mrex@sap.com> wrote:
> Using any information in certificates that have not been verified to
> perform resource-intensive operations is a security problem.  But
> accessing an arbitrary URL presented in an completely unverified
> End-Entity certificate is a "Freddy Krueger" waiting for his next victim.

That seems a little hyperbolic. Accessing completely unverified URLs
is something that browsers do for every single web page.


AGL

-- 
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org

v2.23.0 | Report a Bug | By Email