[cabfpub] Short-Lived Certs - the return

Ryan Sleevi sleevi at google.com
Thu Jun 11 16:36:50 UTC 2015

On Thu, Jun 11, 2015 at 9:32 AM, Eddy Nigg <eddy_nigg at startcom.org> wrote:

> On 06/11/2015 07:02 PM, Ryan Sleevi wrote:
> Sorry, that reply was meant to be towards browsers checking daily.
> Yes of course, I explicitly mentioned in my original response that any
> cached data will remained cached for whatever time the CA sets in the OCSP
> response.

We're not talking about caching, we're talking about stapling.

> But any new connection checking an updated OCSP response would of course
> take affect from the time of revocation by the CA.

If they ignored stapling. Which they don't.

> There is a difference, certainly if we are talking about the max. time of
> 10 days (which is commercially interesting enough for an attacker I guess
> -, and probably the reason why some/most browsers cache the OCSP response
> for only 24 hours).

Again, I'd appreciate if you could name names, because this is not true for
implementations that I've seen.

That is, your opposition is on the basis of some behaviour of some unnamed
clients that you presume was made for security reasons (as opposed to being
a side-effect or bug of the vendors, and thus subject to change at any
time). You're arguing that these clients are thus more secure (with OCSP)
than they are with short-lived certificates, and it would help to
understand how this claim is formed.

It's not strictly necessary - certainly, you could oppose the change simply
to oppose it. But I think it'd help to understand and appreciate if you
could point to these behaviours and they could be examined to see if the
claims are correct.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/6dfd06ac/attachment-0003.html>

More information about the Public mailing list