<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 06/09/2015 10:26 PM, Doug Beattie
      wrote:<br>
    </div>
    <blockquote
cite="mid:SG2PR03MB0666F860416B3D25F118A931F0BE0@SG2PR03MB0666.apcprd03.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Browsers
          can check, or not, the status of SSL certificates today and
          they can also change the rules for shorter validity period
          certificates as they see fit, that is outside the scope of the
          BRs.</span></div>
    </blockquote>
    <br>
    Right! I'd prefer to keep it this way, the same way we can't mandate
    browsers to perform any sort of <br>
    <br>
    <blockquote
cite="mid:SG2PR03MB0666F860416B3D25F118A931F0BE0@SG2PR03MB0666.apcprd03.prod.outlook.com"
      type="cite">
      <div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> 
          The purpose of this discussion/ballot is to enable the
          issuance of SSL certificates and not require the CA to set up
          revocation services.</span></div>
    </blockquote>
    <br>
    Well, that's the problem I basically personally have with it. <br>
    <br>
    <blockquote
cite="mid:SG2PR03MB0666F860416B3D25F118A931F0BE0@SG2PR03MB0666.apcprd03.prod.outlook.com"
      type="cite">
      <div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">By
          selecting a sufficiently short validity period we can “revoke”
          certificates more quickly than is currently mandated.</span></div>
    </blockquote>
    <br>
    I don't think so, rather the opposite. Revocation can take effect
    immediately for anybody that doesn't have a cached result already in
    the software which means that the minute a revocation response is
    set to revoked, a compromised certificate becomes (commercially)
    less interesting. <br>
    <br>
    Of course for specifically targeted attacks this is no true, which
    however requires quite some controls over the victims network. It's
    still a lot more difficult than with a certificate without any
    revocation pointers.<br>
    <br>
    <blockquote
cite="mid:SG2PR03MB0666F860416B3D25F118A931F0BE0@SG2PR03MB0666.apcprd03.prod.outlook.com"
      type="cite">
      <div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
          Browsers might also change their expired certificate warning
          to that of a revoked certificate.<o:p></o:p></span></div>
    </blockquote>
    <br>
    I believe that's a different discussion altogether.<br>
    <br>
    <div class="moz-signature">-- <br>
      <table border="0" cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td colspan="2">Regards </td>
          </tr>
          <tr>
            <td colspan="2"> </td>
          </tr>
          <tr>
            <td>Signer: </td>
            <td>Eddy Nigg, COO/CTO</td>
          </tr>
          <tr>
            <td> </td>
            <td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
          </tr>
          <tr>
            <td>XMPP: </td>
            <td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
          </tr>
          <tr>
            <td>Blog: </td>
            <td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
          </tr>
          <tr>
            <td>Twitter: </td>
            <td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
          </tr>
          <tr>
            <td colspan="2"> </td>
          </tr>
        </tbody>
      </table>
    </div>
  </body>
</html>