[openssl-dev] Certificate Limitation Profile
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Nov 28 21:03:13 UTC 2017
On Tue, Nov 28, 2017 at 11:37:35PM +0300, Dmitry Belyavsky wrote:
> Thank you. It seems reasonable to add nextUpdate field to
> the header of CLP to avoid problems related to using stale CLP.
>
> I expect that fresh CLPs in most cases are delivered via update procedures
> of applications, and update mechanism allows fresh enough CLP.
>
> On the other hand enforcing freshness can cause difficulties in situation
> when an application becomes unsupported on a specific version of platform
> (e.g. stale version of Android/iOS).
Perhaps a sensible way to handle nextUpdate is to refuse to import
a purportedly fresh CLP whose nextUpdate has expired or is older
than what you have. If an application is failing to get updates,
then it can continue to run with what it has.
The idea is to prevent "rollback" attacks, more than fail closed
on expired CLPs when nothing fresh is available.
--
Viktor.
More information about the openssl-dev
mailing list