undefined | Better HN

0 pointsrealusername5y ago0 comments

I see indeed, I don't think they are going with the right approach here, there should be an automatic way to upgrade signed content / check for updates, short signatures just destroys the benefits of the feature.

0 comments

foepys5y ago

It's the only way to do it. TLS has shown that OCSP and the likes are not adding significant security and short certificate expiration is the only way to go.

The serving nodes are not necessarily under control of a well intended party that complies with upgrade requests.

ehsankia5y ago

And I don't see the issue with short expiry. The point of a cache is to reduce load, not to entirely eliminate it. Even with a 5m expiry, it's still 5 orders of magnitude better than having a 100+ QPS on your server.

j / k navigate · click thread line to collapse

0 pointsrealusername5y ago0 comments

0 comments

foepys5y ago

It's the only way to do it. TLS has shown that OCSP and the likes are not adding significant security and short certificate expiration is the only way to go.

The serving nodes are not necessarily under control of a well intended party that complies with upgrade requests.

ehsankia5y ago

j / k navigate · click thread line to collapse