Re: [SECURITY] [DSA 2939-1] chromium-browser security update
On Sat, May 31, 2014 at 3:13 PM, Andrew McGlashan wrote:
> Google did have OCSP, but they deliberately removed it recently.
>
> FWIW, Steve Gibson has a very good take on all of this.
>
> The OCSP server not found issue is rare, in the past the /main/ CA's got
> together to discuss the OCSP issue and they create CDN's to deal with
> issues like not being able to connect the OCSP server. The page that
> was linked from /google's/ pov ... was quite old btw.
>
> Google pushed back on OCSP when Steve Gibson had much to say about the
> whole revocation mess and he talked about alternative ideas that the
> industry is considering. The CA's backed Steve's take and can't seem to
> understand why Google would push back so hard to go against the OCSP
> idea and other possible solutions.
So, I think you're putting too much faith in the cult of personality.
Google's arguments from 2011 and 2012 are still perfectly valid today:
https://www.imperialviolet.org/2011/03/18/revocation.html
And they are in fact looking into must staple as a solution, but
certificates lifetimes need to be reduced to days or less rather than
years first:
https://www.imperialviolet.org/2014/04/19/revchecking.html
That's an incredibly difficult political, rather than technical
problem. It's up to the entire ecosystem to move toward short-lived
certificates, and that isn't happening any time soon. All other
existing solutions are simply "security theater".
In the meantime, Google has decided to avoid those theatrics by
clearly stating not to trust anything, and I personally respect that
honesty.
Best wishes,
Mike
Reply to: