On 04/09/14 14:04, Gervase Markham wrote:
On 04/09/14 12:52, Hubert Kario wrote:
It all depends on the exact definition of "short-lived". If the definition
is basically the same as for OCSP responses or shorter, then yes, they
provide the same security as regular certs with hard fail for OCSP
querying/stapling.
The exact definition of "short-lived" is something I want to declare out
of scope for this particular discussion.
I'm not sure what gives us the removal of revocation info from certificate.
Because there are lots of clients out there who check revocation info
always if the pointers are present. The only way to stop them doing that
(and so realise the speed advantage) is by not putting revocation info
in the cert.
Today, if an end-entity cert contains no AIA->OCSP URL and the server
sends no stapled OCSP response, it's a violation of the BRs. I wonder
if any clients out there would reject the cert in this situation? (I
suspect not, but it's something to watch out for).
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
