undefined | Better HN

0 pointsgruez5y ago0 comments

>and publish a revocation via CRL if the validation times out or fails for 1 month + 1 day.

If you're in a position to MITM using a stolen certificate, you're probably also in a position to block the CRL response from going through. Since failing to get an updated CRL doesn't result in a security warning, your CRL proposal is essentially useless.

0 comments

majewsky5y ago

> you're probably also in a position to block the CRL response from going through

Not if the certificate is OCSP-Must-Staple.

j / k navigate · click thread line to collapse

0 comments

majewsky5y ago

> you're probably also in a position to block the CRL response from going through

Not if the certificate is OCSP-Must-Staple.

j / k navigate · click thread line to collapse