[cabfpub] CT and OCSP Stapling
Adam Langley
agl at google.com
Wed Oct 17 05:52:06 MST 2012
On Wed, Oct 17, 2012 at 7:57 AM, Ben Laurie <benl at google.com> wrote:
> This is exactly it - there may have been some confusion here. We're
> perfectly happy to use OCSP Stapling with CT.
>
> I think Adam thought you were talking about using standard OCSP, which
> as you know won't work because of unreliability, which means it can't
> be hard-fail, which defeats the purpose of CT.
Right, with must-staple it's just moving the bits around in the
handshake. That makes no difference.
I believe that several folks in the room were suggesting just using
OCSP, whether the server staples or not. The issue there is that the
work needed to break the system is reduced from "compromise a quorum
of logs and isolate the client forever" to just "isolate the client
forever".
Cheers
AGL
More information about the Public
mailing list