<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 06/11/2015 08:13 PM, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvZCcfYx64UKnXcdhB04CuzUQ7yX8gzScparZD_ZHDyEYQ@mail.gmail.com"
type="cite">
<div dir="ltr">On Thu, Jun 11, 2015 at 10:02 AM, Eddy Nigg <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class=""><br>
</span> Well, I wasn't talking about stapling really :-)<br>
<br>
But stapling is supported currently by only 25% of web
sites serving certificates, but even here I believe
servers can take a more conservative approach and update
the OCSP every X hours or so. I'd recommend it in any
case.</div>
</blockquote>
<div><br>
</div>
<div>Sure, but good security practices don't affect the
minimum security. That's been the point repeatedly in
these discussions. The question has been "How long can an
attacker use a bad certificate" and "How quickly will
clients notice" - and an attacker that can staple a
response for 10 days (since stapling is widely supported
in the major browsers) is an attacker that can use that
bad certificate.</div>
</div>
</div>
</div>
</blockquote>
<br>
You mean the attacker will use stapling in that case. Might make
sense in which case I believe we might also want to review the
current requirements. We don't use 10 days and most likely most
major CAs don't (top ten accounting for 97% or so of all certs). In
which case we also might find support to reduce this time to less.<br>
<br>
It doesn't change my stance though that certificates should have
always revocation pointers and software vendors may implement their
own criteria.<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>