[AusNOG] Lets Encrypt

[Nick Savvides]

I don’t think it’s overstating it. It is one of the biggest problems facing good use of PKI.

Our OCSP responders are behind good CDNs. 

We’ve even jointly authored an RFC http://tools.ietf.org/html/rfc5019 with Microsoft on improving OCSP responses. The result of which was all Symantec OCSP is running on our TGV (Trusted Global Validation) platform. 


Nick.
 
-------------------------------------------------------
Nick Savvides,  Senior Principal Systems Engineer (Security)
nick_savvides at symantec.com, Mobile: +61 434 600 870

> On 19 Nov 2014, at 18:41 , Matt Palmer <mpalmer at hezmatt.org> wrote:
> 
> On Tue, Nov 18, 2014 at 09:46:49PM -0800, Nick Savvides wrote:
>> I also think that one biggest problems today is that OCSP is not enabled
>> everywhere by default.
> 
> I think it's far, *far* overstating the case that a lack of OCSP is "one [of
> the] biggest problems today".  It's problematic, but until the response
> times of OCSP responders is below the magic threshold (100ms -- that's not
> RTT, that's *total response time*), and the failed-request rate is down in
> the noise, OCSP-by-default won't fly.  So, everyone, start checking OCSP
> over GET requests without nonces, and CAs, start putting your OCSP
> responders behind good CDNs.
> 
> - Matt
> 
> -- 
> Judging by this particular thread, many people in this group spent their
> school years taking illogical, pointless orders from morons and having their
> will to live systematically crushed. And people say school doesn't prepare
> kids for the real world.  -- Rayner, in the Monastery
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7769 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141119/f31c5b8a/attachment.bin>