"Proxy Certificates: The Missing Link in the Web’s Chain of Trust"
- https://arxiv.org/pdf/1906.10775.pdf …
cc @jedisct1
-
Show this thread
-
"Short-lived certificates provide comparable security and efficiency benefits to OCSP stapling. 4 days is a suggested validity period. Questions remain, however, around the feasibility of reducing this period to a few minutes"
1 reply 0 retweets 1 likeShow this thread -
it reminds me of https://00f.net/2019/05/04/fixing-expired-certificates/ …
1 reply 0 retweets 0 likes -
yup - that's in part why I cc'd Frank :)
1 reply 0 retweets 0 likes -
Using proxy certificates is also how I’ve always been recommending to run DoH servers, for a different reason:https://github.com/jedisct1/rust-doh#operational-recommendations …
1 reply 0 retweets 0 likes -
ESNI should fix this, right?
2 replies 0 retweets 0 likes -
Also I’m not sure what point you are referring to, but ESNI does nothing against clients still trusting a name after a owner change.
2 replies 0 retweets 0 likes
That’s the main reason for using proxy certificates. Clients can trust this one instead of the CA (or any CA since most DoH clients don’t care at all).
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.