Hi folks

I was surprised to note that DigiNotar had a log of all IPs who had
requested an OCSP lookup for the bad certs. This seems like a very bad
idea on the OCSP server's part. Does  Mozilla have a policy on such
behavior (maybe this question should be on dev.security.policy) ? I
feel like CAs should be explicitly told (by Mozilla) to not log OCSP
requests.

Additionally, one thing I noticed was that if I visit
https://www.secure.com in private browsing mode; Firefox makes a OCSP
request. After closing private browsing mode and going back to the
normal mode, if I go to https://www.secure.com then Firefox caches the
OCSP responses and doesn't make a new OCSP request. This seems like a
leak of information that should be disabled. What do others think?
Thankfully, if I close Firefox after private browsing mode, then
Firefox doesn't cache the OCSP response.


-Devdatta
_______________________________________________
dev-security mailing list
dev-security@list...
https://lists.mozilla.org/listinfo/dev-security