SC-XXX: Availability of URI in Certificates

[srdavidson]

Recent Bugzilla incident reports as well as MDSP discussions have identified issues with non-functioning URI included in certificates ranging from CRLDP to Repository URLs to caIssuers AIA. The existing Baseline Requirements specify where such URI may be used in the certificate profiles but, apart from CRLDP, do not address availability. This ballot seeks to assure the availability of these URI.

[ryancdickson]

Thanks for putting this together @srdavidson!

Have you considered how the BRs might also address the challenges described here?

I'd say it relates to the proposed text "The CA MAY limit access to its Repository in accordance with its Risk Assessment."

[XolphinMartijn]

I'd say it relates to the proposed text "The CA MAY limit access to its Repository in accordance with its Risk Assessment."

While I believe the current proposal is too broad, I would be in favour of something akin to this.
As an example, and related to the quoted post, I do not believe blocking specific user-agents should be allowed, any real attacker can already spoof user-agents, so it doesn't increase security at all.

However the other side here are DDoS attacks. It would seem reasonable to allow CAs to block specific IP addresses, be it termporarily, for such cases.

[romanf]

(I posted this today on the google group, sorry for the cross-posting but I feel it's relevant to mention)

8:02 AM (2 hours ago)
to dev-secur...@mozilla.org, Hanno Böck
One thing to consider here is that some CAs may use commercial CDN providers to serve some of the information mentioned. These CDNs often also provide DDoS protection. However, the decision when some access is considered an attack and what requests will then be blocked or let through is typically done by the CDN/DDoS service provider. Putting requirements with regards to e.g. not blocking based on user-agent might be difficult to impossible to implement in this kind of setup.

Regards
Roman