Hacker News new | past | comments | ask | show | jobs | submit login

It's the only way to do it. TLS has shown that OCSP and the likes are not adding significant security and short certificate expiration is the only way to go.

The serving nodes are not necessarily under control of a well intended party that complies with upgrade requests.




And I don't see the issue with short expiry. The point of a cache is to reduce load, not to entirely eliminate it. Even with a 5m expiry, it's still 5 orders of magnitude better than having a 100+ QPS on your server.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: