<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 06/09/2015 10:26 PM, Doug Beattie
wrote:<br>
</div>
<blockquote
cite="mid:SG2PR03MB0666F860416B3D25F118A931F0BE0@SG2PR03MB0666.apcprd03.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Browsers
can check, or not, the status of SSL certificates today and
they can also change the rules for shorter validity period
certificates as they see fit, that is outside the scope of the
BRs.</span></div>
</blockquote>
<br>
Right! I'd prefer to keep it this way, the same way we can't mandate
browsers to perform any sort of <br>
<br>
<blockquote
cite="mid:SG2PR03MB0666F860416B3D25F118A931F0BE0@SG2PR03MB0666.apcprd03.prod.outlook.com"
type="cite">
<div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
The purpose of this discussion/ballot is to enable the
issuance of SSL certificates and not require the CA to set up
revocation services.</span></div>
</blockquote>
<br>
Well, that's the problem I basically personally have with it. <br>
<br>
<blockquote
cite="mid:SG2PR03MB0666F860416B3D25F118A931F0BE0@SG2PR03MB0666.apcprd03.prod.outlook.com"
type="cite">
<div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">By
selecting a sufficiently short validity period we can “revoke”
certificates more quickly than is currently mandated.</span></div>
</blockquote>
<br>
I don't think so, rather the opposite. Revocation can take effect
immediately for anybody that doesn't have a cached result already in
the software which means that the minute a revocation response is
set to revoked, a compromised certificate becomes (commercially)
less interesting. <br>
<br>
Of course for specifically targeted attacks this is no true, which
however requires quite some controls over the victims network. It's
still a lot more difficult than with a certificate without any
revocation pointers.<br>
<br>
<blockquote
cite="mid:SG2PR03MB0666F860416B3D25F118A931F0BE0@SG2PR03MB0666.apcprd03.prod.outlook.com"
type="cite">
<div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
Browsers might also change their expired certificate warning
to that of a revoked certificate.<o:p></o:p></span></div>
</blockquote>
<br>
I believe that's a different discussion altogether.<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>