Did you know about 1% of the traffic on the internet is protected with SSL (see the Sandyvine Report)?
Or than many of the sites responsible for this traffic do not require SSL, they instead just make it available as an option?
This unfortunately this means users are exposed to risks that are otherwise would not be present.
There is a trend to move to protecting all site content with SSL, this effort has been dubbed Always On SSL; the OTA has just recently published a whitepaper on this topic that I had a chance to contribute to.
I have been asked a few times recently what my largest issues are with Firefox and it’s PKI/TLS implementations, here is the short-list:
725351 – Support enforcing nested EKU constraints, do so by default.
579606 – Multiple OCSP requests should be performed in parallel
565047 – Implement TLS 1.1 (RFC 4346)
436414 – OCSP client should be able to use HTTP GET as well as POST
360420 – Implement OCSP Stapling in libSSL
399324 – Fetch missing intermediate certs (use AIA extension for incomplete cert chains)
378098 – Do not expire OCSP responses that say “revoked”
48597 – OCSP needs offline cache (persistent on-disk)
Kathleen at Mozilla has recently set up a page to track revocation related issues here.
At the most recent CA/Browser Forum folks from DigiCert and I both made presentations on what’s needed to improve the current state of revocation in X.509.
There were really two different themes in these presentations:
- We can better use the technologies we have today.
- We can make “tweaks” to the technologies we have today to improve the situation.
It was not really possible to go into any details about these proposals given the time slots allocated were more presentation oriented and since the DigiCert guys had already engaged with Maximiliano Palla of NYU Polytechnic University (the founder of the OpenCA project) they agreed to work with him to arrange this workshop.
The session is April 16th (I leave tomorrow) and I am looking forward to the chance to talk about this topic, my goals for the session are we get to agreements on:
- Authoring a whitepaper on OCSP responder best practices.
- Authoring a whitepaper on revocation client best practices.
- Agreeing on an approach to “opt-in” hard revocation checking.
- Agreeing on a path forward to resolve the many outstanding Firefox revocation issues.
- Funding Nginx to add support for OCSP stapling this year.
There are lots of other potentially interesting topics I am sure will come up:
- Getting Apache’s OCSP stapling enabled by default.
- Short-lived certificates, their potential and challenges.
- Defining a new transport for OCSP via DNS.
- Defining a new query-less OCSP like protocol.
- CRLsets and their place in the browser ecosystem.
Should be an interesting day for sure.