[cabfpub] Short-Lived Certs - the return

Eddy Nigg eddy_nigg at startcom.org
Thu Jun 11 17:02:47 UTC 2015

On 06/11/2015 07:36 PM, Ryan Sleevi wrote:
> We're not talking about caching, we're talking about stapling.

Well, I wasn't talking about stapling really :-)

But stapling is supported currently by only 25% of web sites serving 
certificates, but even here I believe servers can take a more 
conservative approach and update the OCSP every X hours or so. I'd 
recommend it in any case.

>     There is a difference, certainly if we are talking about the max.
>     time of 10 days (which is commercially interesting enough for an
>     attacker I guess -, and probably the reason why some/most browsers
>     cache the OCSP response for only 24 hours).
> Again, I'd appreciate if you could name names, because this is not 
> true for implementations that I've seen.

For example Firefox caches the OCSP response for 24 hours only and not 
at all between restarts. From what I've seen Microsoft also uses 
Cache-Control headers in order to determine for how long to cache OCSP 
(and CRLs) which makes it a bit difficult to determine when it would 
update, but I assume that CAs will leave this fairly short for obvious 
reasons (also 24 hours range).

> You're arguing that these clients are thus more secure (with OCSP) 
> than they are with short-lived certificates, and it would help to 
> understand how this claim is formed.

Yes, hope the above helps.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/b9cd3504/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/b9cd3504/attachment-0001.p7s>

More information about the Public mailing list