[cabfpub] CT and OCSP Stapling

Ben Laurie benl at google.com
Wed Oct 17 05:52:52 MST 2012


On 17 October 2012 12:57, Ben Laurie <benl at google.com> wrote:
> On 17 October 2012 12:35, Rob Stradling <rob.stradling at comodo.com> wrote:
>> Adam, at the New York F2F recently, you mentioned that you and Ben didn't
>> like the idea of embedding CT proofs in CA-provided OCSP Responses.  Your
>> view was that this would "weaken CT".  If you did explain what you meant by
>> this, I'm afraid I've forgotten what you said.  So...
>>
>> Please would you or Ben explain exactly why you think it would "weaken CT"?
>>
>> (IMHO, CT will only work if clients hard-fail on absence of a CT proof, so
>> it makes no difference what distribution channel is used to get a CT proof
>> to a client.  I don't see how using the OCSP Stapling TLS extension would be
>> any "weaker" than using the RFC5878 TLS extension).
>
> This is exactly it - there may have been some confusion here. We're
> perfectly happy to use OCSP Stapling with CT.
>
> I think Adam thought you were talking about using standard OCSP, which
> as you know won't work because of unreliability, which means it can't
> be hard-fail, which defeats the purpose of CT.

BTW, as far as I can see all we would need to do to add a CT response
to OCSP is to allocate an OID and make the body the SCT.

I can add that to the I-D now :-)


More information about the Public mailing list