On 06/09/11 03:48, Devdatta Akhawe wrote:
> I was surprised to note that DigiNotar had a log of all IPs who had
> requested an OCSP lookup for the bad certs. This seems like a very bad
> idea on the OCSP server's part.

Well, the list of IPs has been passed to Google, who are now able to
warn people accessing Google from those IPs that there is a problem. So
there are both good and bad sides to it.

> Does  Mozilla have a policy on such
> behavior (maybe this question should be on dev.security.policy) ? I
> feel like CAs should be explicitly told (by Mozilla) to not log OCSP
> requests.

No policy at the moment.

Gerv
_______________________________________________
dev-security mailing list
dev-security@list...
https://lists.mozilla.org/listinfo/dev-security