Profile picture
, 8 tweets, 1 min read Read on Twitter
So for web-based PKI applications to properly validate chains they need the ability to fetch crypto evidence such as CRLs, OCSP responses, and sometimes intermediate certs.
This is problematic because the browser enforces the same-origin policy (as it should) which means a web application can not fetch these bits of evidence. The browser provides a mechanism to bypass this limitation, it is called Cross-Origin Resource Sharing (CORS).
The thing is virtually no certificate/CRL repositories or OCSP responders set the CORS policies in such a way to allow web applications to request these resources.
This means that for a digital signature application, for example, to work reliably, all necessary evidence should be embedded in the document so no additional wire connections are needed.
In the context of digital signatures, this is a requirement for what are called Long Term Validation (LTV) signatures. The problem is that even LTV signatures often do not contain this information. In other words, they claim to be LTV but are not.
In general, though, I believe CAs should allow CORS requests to their repositories, these repositories exist for the purpose of resource sharing and this is the mechanism the web gives for that.
Absent that, web-based PKI applications either need to provide an authenticated proxy in the same origin that can fetch these resources for the client or an unauthenticated one.
Both are not ideal as they can potentially be used as a tool to attack another site, of course, an authenticated one is better in that regard.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Ryan Hurst
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!