Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
Jump to navigation
Jump to search
m
SecurityEngineering/mozpkix-testing (view source)
Revision as of 21:40, 22 April 2015
, 22 April 2015→Things for CAs to Fix
| Line 106: | Line 106: | ||
#* Related Bugs: {{Bug|1025625}}, {{Bug|997509}} | #* Related Bugs: {{Bug|1025625}}, {{Bug|997509}} | ||
= Future Considerations = | |||
While testing mozilla::pkix, we noticed the following things that we would like to consider. | While testing mozilla::pkix, we noticed the following things that we would like to consider. | ||
# In the [https://cabforum.org/baseline-requirements-documents/ BRs], the statement: "OCSP responses from this service MUST have a maximum expiration time of ten days." needs to be added to the Subordinate CA Certificates section of BR #13.2.2. If a CA with an intermediate OCSP nextUpdate six months in the future actually revokes that intermediate today because an attacker got its private key, then an attacker could still MitM users for 6 months from today. We need to require intermediate OCSP nextUpdate values to be 10 days from thisUpdate or less. | # In the [https://cabforum.org/baseline-requirements-documents/ BRs], the statement: "OCSP responses from this service MUST have a maximum expiration time of ten days." needs to be added to the Subordinate CA Certificates section of BR #13.2.2. If a CA with an intermediate OCSP nextUpdate six months in the future actually revokes that intermediate today because an attacker got its private key, then an attacker could still MitM users for 6 months from today. We need to require intermediate OCSP nextUpdate values to be 10 days from thisUpdate or less. | ||