Re: Spencer Dawkins' No Objection on draft-ietf-httpbis-origin-frame-04: (with COMMENT)

On Tue, Jan 9, 2018 at 6:53 PM, Mark Nottingham <mnot@mnot.net> wrote:

> Hi Spencer,
>
> > On 9 Jan 2018, at 1:43 am, Spencer Dawkins <
> spencerdawkins.ietf@gmail.com> wrote:
> >
> > I don't object to publishing this document, but I do have an honest
> question.
> > Is OCSP sufficiently robust and stable that you're expecting OCSP checks
> to
> > work as a security mitigation?
> >
> > I remember some concerns about that in the SIP community, probably three
> years
> > ago, and thought I should ask before the document is approved.
>
> On the Web I think it's reasonable, when using OCSP stapling. Note that
> it's given as an example here; it's up to an implementation to decide
> what's appropriate.
>

Well, it's potentially reasonable with MUST STAPLE, though the exposure
window is pretty long

-Ekr

>
> Thanks,
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>

Received on Wednesday, 10 January 2018 03:22:26 UTC