think it's time
may have passed. The compressed CRL stuff that browsers are already
contemplating and deploying is a better path forward.
-Tim
From: TLS On Behalf Of Salz, Rich
Sent: Sunday, October 2, 2022 9:14 AM
To: Phillip Hallam-Baker
Cc: tls@ietf.org
Subject: Re: [TLS] OCSP and browsers
The TL;DR is that in the future we expect OCSP to be a lot less relevant.
I checked with our team, and the general story is that currently if there
is a valid OCSP stapled response we use it but otherwise do OCSP
In the future when we have CRLite enabled and it applies to the
certificate, then
On Sunday, 2 October 2022 15:13:31 CEST, Salz, Rich wrote:
Now we have ACME, why not move to 3 day certs issued daily
and avoid the need for revocation entirely?
Not all CA's in use on the WebPKI support ACME. Automating a
single-host to renew every 48 hours (have to allow for faults
and
> Now we have ACME, why not move to 3 day certs issued daily and avoid the need
> for revocation entirely?
Not all CA's in use on the WebPKI support ACME. Automating a single-host to
renew every 48 hours (have to allow for faults and retries) is okay, as long as
you are confident your site
Now we have ACME, why not move to 3-day certs issued daily and avoid the need
for revocation entirely?
For your use case – perhaps. For my – no way.
On Fri, Sep 16, 2022 at 11:43 AM Salz, Rich
wrote:
I think this is of general interest, so I’m posting here rather than poking
On Sat, Oct 01, 2022 at 09:33:30PM -0400, Phillip Hallam-Baker wrote:
> Now we have ACME, why not move to 3 day certs issued daily and avoid the
> need for revocation entirely?
This could put rather a strain on certificate transparency. 30x times
the renewal cadence. Not that I personally
Now we have ACME, why not move to 3 day certs issued daily and avoid the
need for revocation entirely?
On Fri, Sep 16, 2022 at 11:43 AM Salz, Rich wrote:
> I think this is of general interest, so I’m posting here rather than
> poking friends I know.
>
>
>
> Browsers are phasing out doing OCSP
On Friday, 16 September 2022 17:42:08 CEST, Salz, Rich wrote:
I think this is of general interest, so I’m posting here rather
than poking friends I know.
Browsers are phasing out doing OCSP queries themselves. The
common justification, which makes sense to me, is that there are
privacy
I think this is of general interest, so I’m posting here rather than poking
friends I know.
Browsers are phasing out doing OCSP queries themselves. The common
justification, which makes sense to me, is that there are privacy concerns
about leaking where a user is surfing.
My question is, what