[cabfpub] Pre-Ballot - Short-Life Certificates

Ryan Sleevi sleevi at google.com
Fri Oct 24 18:42:36 UTC 2014


As has been explained in the past, with OCSP stapling the 'attacker' can
replay the gold response to all clients.

They really are the same security risk profile.
On Oct 24, 2014 11:37 AM, "Rich Smith" <richard.smith at comodo.com> wrote:

> Only if EVERY user who will hit the site after the certificate is
> revoked has already visited the site prior to revocation and cached the
> Good response.  Very unlikely, so a very shaky definition of 'better' IMO.
> On 10/24/2014 1:30 PM, Jeremy.Rowley wrote:
> > It's actually
> > better than OCSP as defined in the BRs since that has a 10 day validity
> > period.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141024/f1f0be43/attachment-0003.html>

More information about the Public mailing list