[cabfpub] Short-Lived Certs - the return
Eddy Nigg
eddy_nigg at startcom.org
Thu Jun 11 21:29:22 UTC 2015
On 06/11/2015 08:13 PM, Ryan Sleevi wrote:
> On Thu, Jun 11, 2015 at 10:02 AM, Eddy Nigg <eddy_nigg at startcom.org
> <mailto:eddy_nigg at startcom.org>> wrote:
>
>
> Well, I wasn't talking about stapling really :-)
>
> But stapling is supported currently by only 25% of web sites
> serving certificates, but even here I believe servers can take a
> more conservative approach and update the OCSP every X hours or
> so. I'd recommend it in any case.
>
>
> Sure, but good security practices don't affect the minimum security.
> That's been the point repeatedly in these discussions. The question
> has been "How long can an attacker use a bad certificate" and "How
> quickly will clients notice" - and an attacker that can staple a
> response for 10 days (since stapling is widely supported in the major
> browsers) is an attacker that can use that bad certificate.
You mean the attacker will use stapling in that case. Might make sense
in which case I believe we might also want to review the current
requirements. We don't use 10 days and most likely most major CAs don't
(top ten accounting for 97% or so of all certs). In which case we also
might find support to reduce this time to less.
It doesn't change my stance though that certificates should have always
revocation pointers and software vendors may implement their own criteria.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150612/469d6727/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150612/469d6727/attachment-0001.p7s>
More information about the Public
mailing list