[caops-wg] Microsoft Cert revocation presentation at NIST
Mike Helm
helm at fionn.es.net
Tue Apr 4 13:55:22 CDT 2006
Kelvin Yiu of Microsoft gave a very interesting
presentation about MS strategy for managing revocation
in VISTA, which I think has some relevance for us.
Among other things, he really pushed the lightweight OCSP
profile (not sure if that is finished in IETF PKIX but
it is close). Among other things he mentioned the use
of TLS stapling - this is from RFC 3546 section 3.6
http://www.ietf.org/rfc/rfc3546.txt
where an OCSP response is bundled into the TLS handshake.
I hope the slide deck will be made available, but in lieu
of that here are some of the best practices from KY's slides
(paraphrased a bit):
Use HTTP not LDAP - better thruput, can cache
Set Etag & cache-control
Keep it simple
1 OCSP & 1 CDP that is accessible
User overlapping validity periods
Max-age should be less than overlap period
Support the litewgt OCSP profile for hi volume envs
Pre-generate OCSP response if sec rqmts permit - don't do real time stuff
Support stapling - push for it in new protocols
More information about the caops-wg
mailing list