----- Original Message ----- > From: "Gervase Markham" <[email protected]> > To: [email protected] > Sent: Thursday, September 4, 2014 3:04:33 PM > Subject: Re: Short-lived certs > > On 04/09/14 12:52, Hubert Kario wrote: > > It all depends on the exact definition of "short-lived". If the definition > > is basically the same as for OCSP responses or shorter, then yes, they > > provide the same security as regular certs with hard fail for OCSP > > querying/stapling. > > The exact definition of "short-lived" is something I want to declare out > of scope for this particular discussion. > > > I'm not sure what gives us the removal of revocation info from certificate. > > Because there are lots of clients out there who check revocation info > always if the pointers are present. The only way to stop them doing that > (and so realise the speed advantage) is by not putting revocation info > in the cert.
From what I heard (and my limited personal experience matches), is that the vast majority of clients not only completely ignore failures in OCSP retrieval (soft-fail) but completely lack any mechanism for revocation checking (be it OCSP or CRL). In fact, that is the main driver behind must-staple. Can you provide examples to the contrary? -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
