[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Sat Mar 23 16:06:21 UTC 2013

+1, Eddy.

Let’s move on reducing the time for updating CRLs and OCSP responses to respond to Ryan’s point.  That’s the best way to make revocation checking a must.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Saturday, March 23, 2013 3:34 AM
To: public at cabforum.org
Subject: Re: [cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

On 03/23/2013 09:04 AM, From Ryan Sleevi:
The disconnect here seems to be the assumption that every client will check OCSP at least once, so that the CAs revocation is meaningful. They won't. They will use the stapled, outdated response.

This is a good point and I think we should A) reduce the time a stapled response may be valid and B) reduce the maximum validity time of an OCSP response. That's probably not what you wanted, but that's what we are doing already today - in my opinion is too long anyway and I agree with you on this.

Just for the record, stapling is at the moment not widely deployed and not something we have to overly worry about right now, but we should indeed set rules for exactly the scenario you mentioned above.


Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://blog.startcom.org>


Follow Me<http://twitter.com/eddy_nigg>

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/d2a719d7/attachment-0003.html>

More information about the Public mailing list