[cabfpub] Pre-Ballot - Short-Life Certificates

Rich Smith richard.smith at comodo.com
Fri Oct 24 19:08:53 UTC 2014

The operative word here is 'can'.  There will not be an active attacker 
in all cases, there just MIGHT be.  This is down to a battle of MIGHTS.  
Your MIGHT is that every user will face someone serving up a stapled 
Good response.  My MIGHT is that not every bad actor is going to serve 
up those stapled Good responses, so my revocation of the certificate 
helps those who encounter the site for the first time after the cert has 
been revoked.

Operating according to your MIGHT leaves every user vulnerable to a bad 
actor for the duration of the certificate life.  Operating according to 
mine offers a chance that some of those users won't be victimized.  I'll 
take mine.

And at this point, I think we're just going around in circles. There are 
no new arguments here, so I remain opposed to removal of revocation 
pointers, and those in favor remain in favor.  Unless someone has any 
new points to make I don't think any of us who have spoken up thus far 
are going to change our minds on this.


On 10/24/2014 2:42 PM, Ryan Sleevi wrote:
> with OCSP stapling the 'attacker' can replay the gold response to all 
> clients.

More information about the Public mailing list