On 04/08/14 14:16, Gervase Markham wrote:
On 02/08/14 15:20, Jesper Kristensen wrote:
* Have you considered adding support for multiple ocsp staples to allow
stapeling of CA certs?
There is a proposed standard for multi-stapling but as far as I remember
it's not even finished yet, yet alone implemented and deployed. We
decided that we can't wait for it.
FWIW, it's a Standards Track RFC now.
http://tools.ietf.org/html/rfc6961
I'm not aware of any implementations though.
* Why not allow short-lived CA certs without revocation info, just like
EE certs?
I'm not sure there are any CAs out there who would like to get their
root key out of it secure storage every 3 days.
Ouch. Painful.
* While must-staple and short-lived certificates seem to be scalable
solutions, OneCRL seems to be a hack needed to make things work in the
current situation. It would be nice if this could be explicitly stated,
and even better if you could declare it as a temporary solution intended
to be used only until more scalable solutions are specced, implemented
and deployed.
It's not a temporary solution for intermediate certs. Well, perhaps it's
possible that multi-stapling could eventually supplant it (if TCP init
windows also enlarge) but I don't think it's really necessary to
speculate on that yet.
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
