|
|
|
|
|
|
by toast0
1251 days ago
|
|
|
Invalidation more or less doesn't work. Mandatory OCSP stapling could change that, maybe, but it also means your clients need to have much tighter time synchronization[1], and your servers need to be able to make the OCSP requests, and the OCSP servers need to have relatively high availability. An extended DDoS against an OSCP server in a mandatory stapling environment would effectively invalidate large numbers of certificates and be a real big mess. [1] and no localtime bugs; I've worked with platforms that don't accept certificates where NotBefore interpreted in local time hasn't been reached. Which means you've got to let your certificates sit for hours before using them if you have customers in Hawaii or other pacific islands on this side of the date line. At least certificate errors are big and in your face, unlike bgp and sometimes dns. |
|
|