[cabfpub] CT and OCSP Stapling

Ben Laurie benl at google.com
Wed Oct 17 04:57:07 MST 2012


On 17 October 2012 12:35, Rob Stradling <rob.stradling at comodo.com> wrote:
> Adam, at the New York F2F recently, you mentioned that you and Ben didn't
> like the idea of embedding CT proofs in CA-provided OCSP Responses.  Your
> view was that this would "weaken CT".  If you did explain what you meant by
> this, I'm afraid I've forgotten what you said.  So...
>
> Please would you or Ben explain exactly why you think it would "weaken CT"?
>
> (IMHO, CT will only work if clients hard-fail on absence of a CT proof, so
> it makes no difference what distribution channel is used to get a CT proof
> to a client.  I don't see how using the OCSP Stapling TLS extension would be
> any "weaker" than using the RFC5878 TLS extension).

This is exactly it - there may have been some confusion here. We're
perfectly happy to use OCSP Stapling with CT.

I think Adam thought you were talking about using standard OCSP, which
as you know won't work because of unreliability, which means it can't
be hard-fail, which defeats the purpose of CT.


More information about the Public mailing list