[cabfpub] CT and OCSP Stapling

Rob Stradling rob.stradling at comodo.com
Wed Oct 17 13:57:34 UTC 2012


On 17/10/12 13:52, Adam Langley wrote:
> On Wed, Oct 17, 2012 at 7:57 AM, Ben Laurie <benl at google.com> wrote:
>> This is exactly it - there may have been some confusion here. We're
>> perfectly happy to use OCSP Stapling with CT.
>>
>> I think Adam thought you were talking about using standard OCSP, which
>> as you know won't work because of unreliability, which means it can't
>> be hard-fail, which defeats the purpose of CT.
>
> Right, with must-staple it's just moving the bits around in the
> handshake. That makes no difference.
>
> I believe that several folks in the room were suggesting just using
> OCSP, whether the server staples or not. The issue there is that the
> work needed to break the system is reduced from "compromise a quorum
> of logs and isolate the client forever" to just "isolate the client
> forever".

Adam, Ben, thanks for clarifying this.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list