The last few years has been a bit rough for Certificate Authorities (CAs) as hackers have figured out how to obtain certificates in a manner that erodes trust in the system. Not only have they gone after the middle-men in the chain of certificates, but they have gone directly after major CAs effectively compromising the entire system. There have been a few alternatives proposed such as Notary and now the Certificate Authority Security Council (CASC) proposed a new model that leverages OCSP stapling, a technology designed to fix one major issue with the revocation process.
Shredded Brick, by DaveBleasdale
Before OCSP and OCSP stapling, we had Certificate Revocation Lists (CRLs). This fail safe is designed to allow for an issued certificate to be revoked, or declared invalid, such that a client connecting to a server trying to use the certificate would throw errors and show that the connection should not be trusted.
The biggest issue with CRLs was the extra connections required to the CRL service (which may or may not be available) slowing things down, and the privacy concerns associated with the logs generated by a client checking the CRL. OCSP suffers the same problem that CRLs do, but this new concept of OCSP stapling allows for the server to obtain validation information for the certificate and present it along with the certificate to the client. This will remove both the privacy and latency issues with the client doing it.
Major servers already support this, and it seems to address many of the issues around CRLs. It would be nice to augment this with the Notary service to put some trust capabilities back into the hands of the users (albeit, only the the savvy ones). So for you folks out there, what holes do you see in this? Obviously, we are still relying on the CA’s security to keep the bad guys from keeping “valid” certs around for an extended period of time, but this seems to solve one major issue in the chain.
Possibly Related Posts:
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug