Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
CRL/OCSP on IPv6-only networks
234 views
Skip to first unread message
s...@gmx.ch
Feb 28, 2020, 5:34:53 PM2/28/20
to dev-secur...@lists.mozilla.org
Hi,
While I was connected to an IPv6-only network I noticed, that some CAs
(e.g. Amazon, DigiCert, GoDaddy, QuoVadis) do not provide IPv6 on their
CRL and OCSP endpoints. This means that certificate revocation does not
work if you have no IPv6 or, depending on your security policy (e.g.
require valid OCSP response), you get a lot of false positives.
Currently there is no section in the CA BR that requires dual-stack for
CRL/OCSP. However, IPv6-only environments do exist and they will
increase in future. So I wonder if you're aware of this issue and if
there are any plans for mitigation.
Best regards,
While I was connected to an IPv6-only network I noticed, that some CAs
(e.g. Amazon, DigiCert, GoDaddy, QuoVadis) do not provide IPv6 on their
CRL and OCSP endpoints. This means that certificate revocation does not
work if you have no IPv6 or, depending on your security policy (e.g.
require valid OCSP response), you get a lot of false positives.
Currently there is no section in the CA BR that requires dual-stack for
CRL/OCSP. However, IPv6-only environments do exist and they will
increase in future. So I wonder if you're aware of this issue and if
there are any plans for mitigation.
Best regards,
Ryan Sleevi
Feb 28, 2020, 5:59:52 PM2/28/20
to s...@gmx.ch, dev-secur...@lists.mozilla.org
Yes, this is known as a gap.
This was discussed in the CA/Browser Forum in 2015, but there did not seem
to be support from CAs to adopt.
You can look in the following minutes available at CABForum.org
- 2014-12-12
- 2015-01-08
- 2015-02-19
- 2015-03-05
As well as the 2016-05-25
You can find some of the discussion also available at
https://cabforum.org/pipermail/public/2014-December/004756.html
This was discussed in the CA/Browser Forum in 2015, but there did not seem
to be support from CAs to adopt.
You can look in the following minutes available at CABForum.org
- 2014-12-12
- 2015-01-08
- 2015-02-19
- 2015-03-05
As well as the 2016-05-25
You can find some of the discussion also available at
https://cabforum.org/pipermail/public/2014-December/004756.html
0 new messages