[cabfpub] Pre-Ballot - Short-Life Certificates

Ryan Sleevi sleevi at google.com
Fri Oct 24 11:42:36 MST 2014


Rich,

As has been explained in the past, with OCSP stapling the 'attacker' can
replay the gold response to all clients.

They really are the same security risk profile.
On Oct 24, 2014 11:37 AM, "Rich Smith" <richard.smith at comodo.com> wrote:

> Only if EVERY user who will hit the site after the certificate is
> revoked has already visited the site prior to revocation and cached the
> Good response.  Very unlikely, so a very shaky definition of 'better' IMO.
>
> On 10/24/2014 1:30 PM, Jeremy.Rowley wrote:
> > It's actually
> > better than OCSP as defined in the BRs since that has a 10 day validity
> > period.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141024/f1f0be43/attachment.html 


More information about the Public mailing list