> As owner of the certificate, I think you actually don't want to do that, > because things will stop working. If it's revoked you want to get a new > certificate, and as long as you don't have the new one, you want to use the > old certificate and staple the good OCSP response. >
That depends on what you're optimizing for. While your solution definitely helps with Availability, it deprioritizes Confidentiality and Integrity. For example, if your private key was compromised and your certificate subsequently revoked, your service would continue to be accessible (good availability) but all communications could be MITMed (bad for Confidentiality and Integrity). Thanks, Corey This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
