[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

Yngve N. Pettersen yngve at spec-work.net
Mon Mar 25 10:42:27 UTC 2013

On Mon, 25 Mar 2013 11:37:15 +0100, Gervase Markham <gerv at mozilla.org>  

> On 23/03/13 05:23, Ryan Sleevi wrote:
>> If the CA has issued a valid, signed OCSP response, then they have no
>> ability to revoke that certificate for any client that supports
>> stapling, until that OCSP response expires.
> And if I were an attacker, the very first thing I'd go, on obtaining my
> dodgy cert, would be to grab a valid OCSP response for it so I had that
> in the bank too.

This is the reason why I would have preferred that OCSP stapled responses  
had a freshness requirement, meaning that they would have to be refetched  
(and regenerated) every few hours, no matter that it is nominally valid  
for days.

Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/

More information about the Public mailing list