[cabfpub] Short-Lived Certs - the return
Eddy Nigg
eddy_nigg at startcom.org
Thu Jun 11 17:02:47 UTC 2015
On 06/11/2015 07:36 PM, Ryan Sleevi wrote:
>
> We're not talking about caching, we're talking about stapling.
Well, I wasn't talking about stapling really :-)
But stapling is supported currently by only 25% of web sites serving
certificates, but even here I believe servers can take a more
conservative approach and update the OCSP every X hours or so. I'd
recommend it in any case.
> There is a difference, certainly if we are talking about the max.
> time of 10 days (which is commercially interesting enough for an
> attacker I guess -, and probably the reason why some/most browsers
> cache the OCSP response for only 24 hours).
>
>
> Again, I'd appreciate if you could name names, because this is not
> true for implementations that I've seen.
For example Firefox caches the OCSP response for 24 hours only and not
at all between restarts. From what I've seen Microsoft also uses
Cache-Control headers in order to determine for how long to cache OCSP
(and CRLs) which makes it a bit difficult to determine when it would
update, but I assume that CAs will leave this fairly short for obvious
reasons (also 24 hours range).
> You're arguing that these clients are thus more secure (with OCSP)
> than they are with short-lived certificates, and it would help to
> understand how this claim is formed.
Yes, hope the above helps.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/b9cd3504/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/b9cd3504/attachment-0001.p7s>
More information about the Public
mailing list