I think the idea is that the stapled assertion has a much shorter lifetime. The web site can effectively prove that its own cert has not been revoked as of yesterday. It’s like the CA issuing certs only valid for 24 hours, but without all the attendant hassle of actually having such short duration certs.
I don’t think it does much practically, because the fallback is still to fail open. In theory, if a cert had a “require stapled assertion” flag set, then maybe it would do something.
It doesn’t sound like this does anything for security at all. What am I missing, or this just snake oil?
I think the idea is that the stapled assertion has a much shorter lifetime. The web site can effectively prove that its own cert has not been revoked as of yesterday. It’s like the CA issuing certs only valid for 24 hours, but without all the attendant hassle of actually having such short duration certs.
I don’t think it does much practically, because the fallback is still to fail open. In theory, if a cert had a “require stapled assertion” flag set, then maybe it would do something.