[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal
Yngve N. Pettersen
yngve at spec-work.net
Mon Mar 25 10:42:27 UTC 2013
On Mon, 25 Mar 2013 11:37:15 +0100, Gervase Markham <gerv at mozilla.org>
wrote:
> On 23/03/13 05:23, Ryan Sleevi wrote:
>> If the CA has issued a valid, signed OCSP response, then they have no
>> ability to revoke that certificate for any client that supports
>> stapling, until that OCSP response expires.
>
> And if I were an attacker, the very first thing I'd go, on obtaining my
> dodgy cert, would be to grab a valid OCSP response for it so I had that
> in the bank too.
This is the reason why I would have preferred that OCSP stapled responses
had a freshness requirement, meaning that they would have to be refetched
(and regenerated) every few hours, no matter that it is nominally valid
for days.
--
Sincerely,
Yngve N. Pettersen
Using Opera's mail client: http://www.opera.com/mail/
More information about the Public
mailing list