ISSUE-205

OCSP Failure Risk

Add security consideration for OCSP failure

State:
CLOSED
Product:
wsc-xit
Raised by:
Johnathan Nightingale
Opened on:
2008-05-14
Description:
Propose the following subsection be added to section 9, as partial response to ISSUE-203

9.2 - Certificate Status Checking Failures

[ref 5.5.1] The TLS Errors section does not document intended behaviour for web user agents when a certificate status check fails for network or other non-revocation reasons. At time of writing, the deployment environment for OCSP status checking is fragile and subject to frequent failures, so it is inappropriate to require user agents to treat such failures as warnings or errors. However, this creates a possibility for attack: site operators using a fraudulently obtained, and revoked, certificate may attempt to attack a CA's revocation infrastructure as a way to suppress revocation errors. User agent countermeasures for this vulnerability include: exposing failures of certificate validation checks to users as warning[ref] or danger[ref] level messages; or refusal to load sites that fail these checks.
Related Actions Items:
No related actions
Related emails:
  1. Meeting record: 2008-05-14 (from tlr@w3.org on 2008-06-06)
  2. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from ifette@google.com on 2008-05-27)
  3. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from steele@adobe.com on 2008-05-27)
  4. Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-22)
  5. WSC Open Action Items (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-16)
  6. ISSUE-205 (OCSP Failure Risk): Add security consideration for OCSP failure (from sysbot+tracker@w3.org on 2008-05-14)

Related notes:

ACTION-454 has taken care.

Anil Saldhana, 16 May 2008, 18:18:22

Display change log ATOM feed


Mary Ellen Zurko <mzurko@us.ibm.com>, Chair, Thomas Roessler <tlr@w3.org>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 205.html,v 1.1 2010/10/11 09:35:12 dom Exp $