Jeremy, Could you supply data to support your claim that "internet connected devices increasingly use trusted roots for connecting to smartphones"?
On Wed, Oct 4, 2017 at 8:21 PM, Jeremy Rowley via Public < [email protected]> wrote: > Pre-signing OCSP responses for these certs is a waste of time as they’ll > expire before the OCSP is ever delivered. > Delivered to who? Are you saying you deliver certificates before you've produced OSP responses? > When you are signing certs daily, even signing that first OCSP response > eats up lots of processing power without providing any benefit to the > user. Removing OCSP for short-lived certs eliminates an external call to > the CA > Stapling > and makes the certificate smaller, both essential in device > performance. Plus, Mozilla already supports not checking revocation for > these certs, meaning the revocation info is completely useless in at least > one browser. > > > > Any takers on supporting this? > > > Do you have any new data to suggest clock skew isn't a significant issue, and that such certificates would represent compatibility problems for the ecosystem if deployed? Is the assumption that it's the sites and users' fault/responsibility, despite the overall ecosystem widespread use could cause?
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
