[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Mar 23 03:34:18 MST 2013
On 03/23/2013 09:04 AM, From Ryan Sleevi:
> The disconnect here seems to be the assumption that every client will
> check OCSP at least once, so that the CAs revocation is meaningful.
> They won't. They will use the stapled, outdated response.
This is a good point and I think we should A) reduce the time a stapled
response may be valid and B) reduce the maximum validity time of an OCSP
response. That's probably not what you wanted, but that's what we are
doing already today - in my opinion is too long anyway and I agree with
you on this.
Just for the record, stapling is at the moment not widely deployed and
not something we have to overly worry about right now, but we should
indeed set rules for exactly the scenario you mentioned above.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130323/0a7e171e/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20130323/0a7e171e/attachment.bin
More information about the Public
mailing list