On Aug 4, 2014, at 9:21 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
> On 04/08/14 14:16, Gervase Markham wrote: >> On 02/08/14 15:20, Jesper Kristensen wrote: >>> * Have you considered adding support for multiple ocsp staples to allow >>> stapeling of CA certs? >> >> There is a proposed standard for multi-stapling but as far as I remember >> it's not even finished yet, yet alone implemented and deployed. We >> decided that we can't wait for it. > > FWIW, it's a Standards Track RFC now. > > http://tools.ietf.org/html/rfc6961 > > I'm not aware of any implementations though. Funny enough, I'm an author on RFC 6169 :) http://tools.ietf.org/html/rfc6169 Multi-stapling seems like a reasonable idea in principle. However, given the lack of implementation, it seems like a OneCRL-like strategy for intermediates is likely to have more impact faster. --Richard > >>> * Why not allow short-lived CA certs without revocation info, just like >>> EE certs? >> >> I'm not sure there are any CAs out there who would like to get their >> root key out of it secure storage every 3 days. > > Ouch. Painful. > >>> * While must-staple and short-lived certificates seem to be scalable >>> solutions, OneCRL seems to be a hack needed to make things work in the >>> current situation. It would be nice if this could be explicitly stated, >>> and even better if you could declare it as a temporary solution intended >>> to be used only until more scalable solutions are specced, implemented >>> and deployed. >> >> It's not a temporary solution for intermediate certs. Well, perhaps it's >> possible that multi-stapling could eventually supplant it (if TCP init >> windows also enlarge) but I don't think it's really necessary to >> speculate on that yet. >> >> Gerv >> >> >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy