<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 06/11/2015 07:36 PM, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvb+ZtbMTUV9eVSgXyDLPcOn+YeVUhELhaHMGw=oYqTjtg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">We're not talking about caching,
we're talking about stapling.</div>
</div>
</div>
</blockquote>
<br>
Well, I wasn't talking about stapling really :-)<br>
<br>
But stapling is supported currently by only 25% of web sites serving
certificates, but even here I believe servers can take a more
conservative approach and update the OCSP every X hours or so. I'd
recommend it in any case.<br>
<br>
<blockquote
cite="mid:CACvaWvb+ZtbMTUV9eVSgXyDLPcOn+YeVUhELhaHMGw=oYqTjtg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">There is a
difference, certainly if we are talking about the max.
time of 10 days (which is commercially interesting
enough for an attacker I guess -, and probably the
reason why some/most browsers cache the OCSP response
for only 24 hours).</div>
</blockquote>
<div><br>
</div>
<div>Again, I'd appreciate if you could name names, because
this is not true for implementations that I've seen.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
For example Firefox caches the OCSP response for 24 hours only and
not at all between restarts. From what I've seen Microsoft also uses
Cache-Control headers in order to determine for how long to cache
OCSP (and CRLs) which makes it a bit difficult to determine when it
would update, but I assume that CAs will leave this fairly short for
obvious reasons (also 24 hours range).<br>
<br>
<blockquote
cite="mid:CACvaWvb+ZtbMTUV9eVSgXyDLPcOn+YeVUhELhaHMGw=oYqTjtg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>You're arguing that these clients are thus more secure
(with OCSP) than they are with short-lived certificates,
and it would help to understand how this claim is formed.</div>
</div>
</div>
</div>
</blockquote>
<br>
Yes, hope the above helps.<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>