RE: Browser security warning from michael.mccormick@wellsfargo.com on 2006-12-29 (public-wsc-wg@w3.org from December 2006)

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 28 Dec 2006 23:26:53 -0600
To: <public-wsc-wg@w3.org>
Message-ID: <8A794A6D6932D146B2949441ECFC9D68028712C4@msgswbmnmsp17.wellsfargo.com>

FWIW... Our SSL certs generally include OCSP URLs in the AIA, and at
least some browsers appear to correctly take advantage of it based on
requests we see coming into our responders.

>Michael McCormick, CISSP
>Lead Architect, Information Security
>
>This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based on
this message or any information herein.  If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message.  Thank you for your cooperation.

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Yngve N. Pettersen
Sent: Thursday, December 28, 2006 12:10 PM
To: Stephen Farrell
Cc: public-wsc-wg@w3.org
Subject: Re: Browser security warning

On Thu, 28 Dec 2006 16:05:46 +0100, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:

> I realise that the browsers are getting pretty good at including the 
> ability to do OSCP but my question remains as to how often that 
> actually happens.
>
> Presumably the ssl-server-cert has to include the relevant AIA 
> extension to trigger this? I've no good feeling for how common that 
> extension is in certs, nor for whether or not any inerop issues have 
> arisen with it - do you know?

I know that Verisign/Thawte and GoDaddy are both issuing certificates
with the OCSP information. I am unsure about other CAs but support is
picking up, and OCSP support is required by the current EV guidelines
draft for certificates issued after 2010.

And roughly speaking we get at about one report a month about sites with
revoked certificates that are still using the revoked certificate for
some reason.

Such reports are so frequent that I posted an article titled "Is that
website still in business?" <URL:  
http://my.opera.com/yngve/blog/show.dml/508407 > about the background
for the error and how difficult it can be to get it fixed.

--
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Friday, 29 December 2006 05:26:51 UTC