On Wed, Feb 5, 2014 at 12:26 PM, Rob Stradling <[email protected]> wrote: > Presumably it's somewhere between 10 and 31 days, since 1 SCT is acceptable > for Stapled OCSP and the BRs permit OCSP Responses to be valid for up to 10 > days.
The speed at which we need to distrust a log depends on the minimum number of SCTs actually, which is why allowing a single SCT in stapled OCSP responses is such a large concession. If the minimum number of SCTs were two then the pressure to distrust a log (and the pressure on the logs) would be dramatically reduced because compromising one log wouldn't be sufficient. > Do you still think [1] is a good plan? Sure, if any CAs are willing to do it now :) > How about requiring only 1 SCT for certs with durations <= the maximum > validity period for an OCSP Response? I agree that, if we're going to allow one SCT for stapled OCSP responses then we might as well allow one for 10 day certs. However, the only case where ~100 bytes makes any different is if the certificate chain is right on the edge of the initcwnd and the server cannot (somehow?) set the initcwnd. I.e. it's gone cargo cult. Cheers AGL _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
