[cabfpub] Pre-Ballot - Short-Life Certificates
Jeremy.Rowley
jeremy.rowley at digicert.com
Fri Oct 24 12:03:05 MST 2014
Plus, that still ignores the 10 day lifetime for OCSP. If you have an
even distribution of hits during that time, the time to revoke is 5
days. With Gerv's proposal, the time to revoke is only 2 days - and
it's a 100% revocation at that time.
Maybe everyone hitting the site is unlikely for mom and pop shops, but
for someone like Google or Amazon (where people often visit their page
at least once every 10 days), a two day window is a significant
improvement. Considering the work required to deploy short-lived certs,
we probably don't need to worry about rapid adoption by mom and pop sites.
Jeremy
On 10/24/2014 12:42 PM, Ryan Sleevi wrote:
>
> Rich,
>
> As has been explained in the past, with OCSP stapling the 'attacker'
> can replay the gold response to all clients.
>
> They really are the same security risk profile.
>
> On Oct 24, 2014 11:37 AM, "Rich Smith" <richard.smith at comodo.com
> <mailto:richard.smith at comodo.com>> wrote:
>
> Only if EVERY user who will hit the site after the certificate is
> revoked has already visited the site prior to revocation and
> cached the
> Good response. Very unlikely, so a very shaky definition of
> 'better' IMO.
>
> On 10/24/2014 1:30 PM, Jeremy.Rowley wrote:
> > It's actually
> > better than OCSP as defined in the BRs since that has a 10 day
> validity
> > period.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141024/33ef6365/attachment.html
More information about the Public
mailing list