[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sat Mar 23 10:34:18 UTC 2013

On 03/23/2013 09:04 AM, From Ryan Sleevi:
> The disconnect here seems to be the assumption that every client will 
> check OCSP at least once, so that the CAs revocation is meaningful. 
> They won't. They will use the stapled, outdated response.

This is a good point and I think we should A) reduce the time a stapled 
response may be valid and B) reduce the maximum validity time of an OCSP 
response. That's probably not what you wanted, but that's what we are 
doing already today - in my opinion is too long anyway and I agree with 
you on this.

Just for the record, stapling is at the moment not widely deployed and 
not something we have to overly worry about right now, but we should 
indeed set rules for exactly the scenario you mentioned above.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/0a7e171e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/0a7e171e/attachment-0001.p7s>

More information about the Public mailing list