<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
On 03/23/2013 09:04 AM, From Ryan Sleevi:
<blockquote
cite="mid:CACvaWvZKTWPVMTTDgHNDqrmUaYqPr=OukkZ3XtiLR+peZqSUUA@mail.gmail.com"
type="cite">The disconnect here seems to be the assumption that
every client will check OCSP at least once, so that the CAs
revocation is meaningful. They won't. They will use the stapled,
outdated response.</blockquote>
<br>
This is a good point and I think we should A) reduce the time a
stapled response may be valid and B) reduce the maximum validity
time of an OCSP response. That's probably not what you wanted, but
that's what we are doing already today - in my opinion is too long
anyway and I agree with you on this.<br>
<br>
Just for the record, stapling is at the moment not widely deployed
and not something we have to overly worry about right now, but we
should indeed set rules for exactly the scenario you mentioned
above.<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>