[SSL Observatory] SSL CA compromise in the wild
Adam Langley
agl at google.com
Wed Mar 23 15:11:46 PDT 2011
On Wed, Mar 23, 2011 at 6:07 PM, Sid Stamm <sid at mozilla.com> wrote:
> Would serving a stapled OCSP response help? I think it's not necessary
> to have a live OCSP server connection, but a timely response in one way
> (stapled) or another (live).
Unfortunately, one can only staple a single OCSP response and nearly
everybody has a chained certificate these days. Even if OCSP stapling
were extended to include two responses, they're so large (1-2KB) that
it would overflow the initial congestion window. We can open up our
initcwnd, but many clients enforce the standard initcwnd with the flow
window. We also don't want to be sending that much extra data if
possible..
AGL
More information about the Observatory
mailing list