<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/31/2014 07:09 PM, Jeremy Rowley
wrote:<br>
</div>
<blockquote
cite="mid:1a640a6a8cda47398dbef49da3b2d415@EX2.corp.digicert.com"
type="cite">
<pre wrap="">7) Short-lived certs provide a limited hard-fail since the expiration message for expired certs is more visible than the message received where revocation information is unavailable</pre>
</blockquote>
<br>
I don't agree with this entirely - a working revocation BLOCKS a
visitor to the site usually, whereas an expiration notice is not
only clicked away, from the logic of a visitor it's "just" an
expiration. Meaning that this site had a valid certificate and just
failed to renew or whatever.<br>
<br>
In my opinion browser would have to implement a similar logic as
with revocations when a short-lived certificate is expired in order
to be effective. And I highly doubt that neither CAs nor browser
wish to do that.<br>
<br>
<blockquote
cite="mid:1a640a6a8cda47398dbef49da3b2d415@EX2.corp.digicert.com"
type="cite">
<pre wrap="">8) Browsers don't need to add the certs to their CRLSets or do a call to the CA to retrieve revocation information.</pre>
</blockquote>
<br>
With the above logic, this isn't necessarily true if a key of such
certificates gets compromised. Such a key could be potentially used
for hundreds of certificates, depending on what the guidelines will
be for reuse of such keys. <br>
<br>
If the weakness of how browsers handle expired certificates will be
abused with such certificates, they might have to be included in a
CRL.<br>
<br>
<blockquote
cite="mid:1a640a6a8cda47398dbef49da3b2d415@EX2.corp.digicert.com"
type="cite">
<pre wrap="">9) Short-lived certs provide shorter revocation windows than currently offered under the BRs.
</pre>
</blockquote>
<br>
Please note that the BR allows for a maximum period. CAs might use
shorter periods in addition that certain browsers don't hold OCSP
responses for more than 24 hours.<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>