[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

Fri Mar 22 23:24:21 UTC 2013

On 03/23/2013 12:57 AM, From Ryan Sleevi:
> [RS] Every byte is critical during the critical SSL/TLS handshake - 
> especially with the small INITCWNDs that exist today. CAs SHOULD be 
> able to offer as small a cert as possible that provides the same 
> security guarantees - performance matters, and if CAs wish to sell 
> more certificates, the best way to do so is to help customers realize 
> savings that puts the cost of SSL on par - or LESS than - unencrypted 
> traffic.

I'd like to add here to my previous comment that if something doesn't 
need a secure transaction, make it plain text. For the benefit of 
encryption, I assume that you can invest 100 ms for a revocation check. 
That's the price to pay plus a few bytes for the increased certificate's 
size with CRL/OCPS DPs (which happens once for the life time of the cert 
per client).

Certificates without revocation checking (or browsers that don't check 
the certificate status) don't need encryption. In my opinion both lost 
the cause for encryption and it would be cheaper to just skip it and go 
plain text.

But if making OCSP update requirements to 24 hours will bring your 
browser back to support revocation checking, I'll support such a proposal.

My 0.02 US$

Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/fde07502/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/fde07502/attachment-0001.p7s>