Opened 7 years ago

Last modified 6 years ago

#50 new defect

Ordering of revocation checking and SCT processing by TLS Clients

Reported by: rob.stradling@… Owned by: draft-ietf-trans-rfc6962-bis@…
Priority: major Milestone:
Component: client-behavior Version:
Severity: - Keywords:
Cc:

Description

Brian Smith wrote:
"...the spec. doesn't talk about the ordering of doing revocation checking and SCT processing during certificate chain validation. I believe that the best ordering is to process SCTs, and reject certificates without SCTs, before doing revocation checking or path building, especially revocation checking and path building that requires doing any networking (OCSP fetching and/or AIA chasing), because this reduces the risks that are inherent in doing that networking and with doing path building in general. The draft should be changed to say that."

Change History (4)

comment:1 Changed 7 years ago by benl@…

Surely this depends on the action the client intends to take in response to an SCT check failure? If it is to proceed but with some kind of UI indication, then whether revocation checking should be done or not depends on the details of that UI indication.

comment:2 Changed 7 years ago by benl@…

  • Component changed from rfc6962-bis to client-behavior

comment:3 Changed 6 years ago by katjoyce@…

  • Owner changed from draft-ietf-trans-rfc6962-bis@… to katjoyce@…

comment:4 Changed 6 years ago by katjoyce@…

  • Owner changed from katjoyce@… to draft-ietf-trans-rfc6962-bis@…
Note: See TracTickets for help on using tickets.