Re: Origin Signed Responses and certificate requirements

On Tue, Apr 17, 2018 at 2:44 PM, Jeffrey Yasskin <jyasskin@chromium.org>
wrote:

> I'm nervous about shortening OCSP lifetime for signed exchanges because
> one of the use cases is for P2P sharing between offline clients. It's true
> that the OCSP response is cheap to transfer, but I suspect we can't ask the
> user to turn on their mobile data while they're loading the app they got
> from their friend, partly because phone OSes aren't designed to just
> transfer the one cheap thing when they get online, and partly because the
> data plan may be completely used up for the month.
>

Note that shortening the OCSP lifetime also requires actions upon CAs, on a
topic that is significantly more complex for them than introducing
additional key usages. If the desire is to make deployability simpler, then
CAs can happily attest that shortening lifetime increases the overall cost
that CAs bear - in terms of bandwidth, but also in terms of computational
overhead if ensuring a proper key splitting. In this regard, splitting the
certificate capabilities improves the deployment scenario, by ensuring that
separate parts of the ecosystem can move at separate paces / adopt separate
policies, without adversely affecting the deployability or agility of other
types.

Received on Tuesday, 17 April 2018 18:52:25 UTC