<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">This is the language for tomorrow�$B!G�(Bs discussion on short-lived certificates. I think we�$B!G�(Bve exhausted both sides of permitting v. disallowing short-lived certs so instead of arguing over that, I�$B!G�(Bd rather see if we can find language that people
feel provide an appropriate safe-guard while still permitting the advantages given by short-lived certs. One thing we could do is require CRLs (instead of OCSP) for short-lived certs. This won�$B!G�(Bt expand CRL size almost at all because they will pretty much
fall out of the CRLs by the time the CRL issues (24 hours to issue the CRL means only one CRL before they are removed again).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I�$B!G�(Bll be looking for endorsers tomorrow. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">�$B!D�(B.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>4.9.10. On�$B!>�(Bline Revocation Checking Requirements</b> <o:p>
</o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Effective 1 January 2013, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For the status of Subscriber Certificates<u> with a certificate expiration that is within 48 hours of the certificate�$B!G�(Bs issuance</u>: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four
days. OCSP responses from this service MUST have a maximum expiration time of ten days.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>7.1.2.3. Subscriber Certificate</b> <o:p></o:p></p>
<p class="MsoNormal">�$B!D�(B<o:p></o:p></p>
<p class="MsoNormal">c. authorityInformationAccess With the exception of stapling<u> and certificates that expire within 48 hours of the certificate�$B!G�(Bs issuance</u><s>, which is noted below</s>, this extension MUST be present. It MUST NOT be marked critical,
and it MUST contain the HTTP URL of the Issuing CA�$B!G�(Bs OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA�$B!G�(Bs certificate (accessMethod = 1.3.6.1.5.5.7.48.2).
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The HTTP URL of the Issuing CA�$B!G�(Bs OCSP responder MAY be omitted provided that
<u>the certificate expires within 48 hours of the certificate�$B!G�(Bs issuance or </u>Subscriber �$B!H�(Bstaples�$B!I�(B OCSP responses for the Certificate in its TLS handshakes [RFC4366].<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jeremy<o:p></o:p></p>
</div>
</body>
</html>