On Sat, Apr 22, 2017 at 07:53:50AM -0400, Eric Rescorla wrote: > On Fri, Apr 21, 2017 at 10:52 AM, Nikos Mavrogiannopoulos <n...@redhat.com> > wrote: > > > On Tue, 2017-04-11 at 13:47 -0700, Eric Rescorla wrote: > > > > > Do you have any thoughts on what text we should insert here? I admit > > > to being not that familiar with the practical matters of OCSP > > > stapling. > > > > My issue with OCSP when used under TLS was how to determine the > > validity of the response when the nextUpdate field is missing. I've > > added some text for that introducing an (arbitrary) upper limit at: > > https://github.com/tlswg/tls13-spec/pull/974 > > > This text looks good to me, but it is is a normative change and we've > been through WGLC so I'd like to hear from a few other people that they're > OK > with it (or have the chairs tell me that silence is consent). David > Benjamin? > Richard Barnes? Ryan Sleevi?
I searched what minimum standards for "public" CAs say. The maximum lifetime there is 10 days (but IIRC some widely-used root program has lower limit, might have been 7 days).. Anybody happens to know a CA that doesn't put NextUpdate in? If so, what's the OCSP issuance frequency? -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
