[cabfpub] CT and OCSP Stapling
Ben Laurie
benl at google.com
Wed Oct 17 04:57:07 MST 2012
On 17 October 2012 12:35, Rob Stradling <rob.stradling at comodo.com> wrote:
> Adam, at the New York F2F recently, you mentioned that you and Ben didn't
> like the idea of embedding CT proofs in CA-provided OCSP Responses. Your
> view was that this would "weaken CT". If you did explain what you meant by
> this, I'm afraid I've forgotten what you said. So...
>
> Please would you or Ben explain exactly why you think it would "weaken CT"?
>
> (IMHO, CT will only work if clients hard-fail on absence of a CT proof, so
> it makes no difference what distribution channel is used to get a CT proof
> to a client. I don't see how using the OCSP Stapling TLS extension would be
> any "weaker" than using the RFC5878 TLS extension).
This is exactly it - there may have been some confusion here. We're
perfectly happy to use OCSP Stapling with CT.
I think Adam thought you were talking about using standard OCSP, which
as you know won't work because of unreliability, which means it can't
be hard-fail, which defeats the purpose of CT.
More information about the Public
mailing list