Tuesday, February 07, 2012

nailing revocation checking's coffin shut?

Google Chrome is taking an action (which I agree with) to no longer perform online revocation checking for SSL certificates; rather they will bring lists of revoked certificates into the browser as a part of their regular automatic update mechanism.   Having built an OCSP server back in the day I have special interest in revocation checking characteristics and consequences.

ars technica provides an excellent summary of Google's action:

details on Adam Langley's blog, ImperialViolet:

We're learning, still and again thanks to many excellent security researchers, that the implementation of our global PKI is riddled with weaknesses.  Adam, Moxie Marlinspike (http://www.thoughtcrime.org/about.html) and many others are doing very good work analyzing problems and developing improvements, both tactical and strategic.

However, seems to me that coordinated activity is needed to identify an agreed set of improvements to roll out.  The risk of coordinated activity is that bureaucratic processes will impede progress or be captured by large vendors.  The risk of not coordinating is that netizens will need to understand too much technical security detail about specific products or services to securely use the net.    NIST, EFF, someone else? - who's taking the lead here?

No comments: