![]() No changes would be required in web browsers and minimal changes would be required to web servers (just a job to fetch new certs periodically). Now that we have the requirement that the CA must be polled periodically for HTTPS websites to function (either directly or via stapling), we might as well replace all these OCSP hacks with a more flexible and more secure system that signs & returns short lived certificates. ![]() This effectively nullifies all of the technical benefits of using PKI. Even if we were to enforce OCSP 100% of the time, SSL certs would necessarily become untrusted by default until they were authorized by the certificate authority. I cannot strictly fault the browsers here because OCSP reliability/performance is not where it needs to be. ![]() Oh yeah, just as secure huh? take a look at the recent bruhaha about and the way chromium check whether certs are revoked or not:
0 Comments
Leave a Reply. |