In the more secure version of OCSP, you use no validity duration, you include a nonce in your request that must be present in the response, so the response must be generated on demand and can't be cached.
In other words, a nonce is a way of having a lifetime of zero for the OCSP request.
IMO, given other latencies which would be present in a system for revoking the cert of a phishing site, a near-equivalent level of security with much greater scalability could be achieved by having nonce-less operation, 1-minute timeouts, and using the TLS extensions which (I am told) allow the webserver to deliver the OCSP response rather than the OCSP responder itself. Then, the OCSP server has to service one request every 30 seconds per webserver, rather than one request per client connection.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
