[cabfpub] Fwd: Re: [cabfrev] Must Staple Draft

Adam Langley agl at google.com
Wed Oct 3 11:57:11 MST 2012


On Wed, Oct 3, 2012 at 2:13 PM, Paul Tiemann
<paul.tiemann.usenet at gmail.com> wrote:
> Sounds more likely to me that people will avoid mustStaple.  What do they stand to gain?  A certificate with an increased chance of spectacular failure if any one of a series of dependencies fails, some of which will be outside their control?

That's what hard-fail revocation entails. At the CA/B Forum meeting, a
couple of CAs indicated that they had customers who were interested in
a mustStaple certificate and I'm happy to support that.

> If worried about cases where mustStaple gets used to force OCSP checking in Chrome even on servers that don't support stapling, what about some anonymous statistics gathering mechanism so it can be watched?

We cannot gather statistics at the level of granularity that would
identify servers, or anything even close to it. If we measured that
mustStaple was being seen without staples, then what would we do? Just
switch it off because it's being abused? That would seem like a whole
waste of time all around.

> Personally though, I would prefer to see a mustStaple oid thrown into Certificate Policies than as a new top-level extension.

Certificate Policies seems like a reasonable place to put it - I can't
think of any problems off the bat.


Cheers

AGL


More information about the Public mailing list