On 02/08/14 15:20, Jesper Kristensen wrote: > * Have you considered adding support for multiple ocsp staples to allow > stapeling of CA certs?
There is a proposed standard for multi-stapling but as far as I remember it's not even finished yet, yet alone implemented and deployed. We decided that we can't wait for it. > * Why not allow short-lived CA certs without revocation info, just like > EE certs? I'm not sure there are any CAs out there who would like to get their root key out of it secure storage every 3 days. > * While must-staple and short-lived certificates seem to be scalable > solutions, OneCRL seems to be a hack needed to make things work in the > current situation. It would be nice if this could be explicitly stated, > and even better if you could declare it as a temporary solution intended > to be used only until more scalable solutions are specced, implemented > and deployed. It's not a temporary solution for intermediate certs. Well, perhaps it's possible that multi-stapling could eventually supplant it (if TCP init windows also enlarge) but I don't think it's really necessary to speculate on that yet. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy