<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:466631653;
mso-list-type:hybrid;
mso-list-template-ids:1524823764 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Yes – it�$B!G�(Bs backwards. That was an error on my part. The rationale on 48 hours from issuance is that we�$B!G�(Bve always talked about 3 days – 1 on the backend and 2 on the front. 48 was picked as a starting point
for discussion purposes, not as the final proposal. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Other items mentioned by Doug previous that need to be addressed include:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">The timeframe should be based on notBefore since issuance date isn�$B!G�(Bt defined
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">Simply state that short-lived certs cannot be generated more than 24 hours before the notBefore date<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:#1F497D"><o:p> </o:p></span></a></p>
<p class="MsoNormal"><span style="color:#1F497D">I�$B!G�(Bll try to get a new draft out before tomorrow morning.<o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Richard Barnes [mailto:rbarnes@mozilla.com] <br>
<b>Sent:</b> Tuesday, October 6, 2015 6:49 AM<br>
<b>To:</b> Jeremy Rowley<br>
<b>Cc:</b> public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] Short lived certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">1. Isn't this backwards? You should want to do revocation for *long* lived certs. <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">2. What's the rationale for 48 hours? I don't really see any reason for this threshold to be less than the max OCSP lifetime -- which I already hear operators complaining about. <br>
<br>
Sent from my iPhone. Please excuse brevity. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On Oct 6, 2015, at 04:56, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">This is the language for tomorrow�$B!G�(Bs discussion on short-lived certificates. I think we�$B!G�(Bve exhausted both sides of permitting v. disallowing short-lived certs so instead of arguing over that, I�$B!G�(Bd rather see if we can find language that people
feel provide an appropriate safe-guard while still permitting the advantages given by short-lived certs. One thing we could do is require CRLs (instead of OCSP) for short-lived certs. This won�$B!G�(Bt expand CRL size almost at all because they will pretty much
fall out of the CRLs by the time the CRL issues (24 hours to issue the CRL means only one CRL before they are removed again).<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I�$B!G�(Bll be looking for endorsers tomorrow. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">�$B!D�(B.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>4.9.10. On�$B!>�(Bline Revocation Checking Requirements</b> <o:p>
</o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Effective 1 January 2013, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">For the status of Subscriber Certificates<u> with a certificate expiration that is within 48 hours of the certificate�$B!G�(Bs issuance</u>: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four
days. OCSP responses from this service MUST have a maximum expiration time of ten days.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>7.1.2.3. Subscriber Certificate</b> <o:p></o:p></p>
<p class="MsoNormal">�$B!D�(B<o:p></o:p></p>
<p class="MsoNormal">c. authorityInformationAccess With the exception of stapling<u> and certificates that expire within 48 hours of the certificate�$B!G�(Bs issuance</u><s>, which is noted below</s>, this extension MUST be present. It MUST NOT be marked critical,
and it MUST contain the HTTP URL of the Issuing CA�$B!G�(Bs OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA�$B!G�(Bs certificate (accessMethod = 1.3.6.1.5.5.7.48.2).
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The HTTP URL of the Issuing CA�$B!G�(Bs OCSP responder MAY be omitted provided that
<u>the certificate expires within 48 hours of the certificate�$B!G�(Bs issuance or </u>Subscriber �$B!H�(Bstaples�$B!I�(B OCSP responses for the Certificate in its TLS handshakes [RFC4366].<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Jeremy<o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">_______________________________________________<br>
Public mailing list<br>
</span><a href="mailto:Public@cabforum.org"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Public@cabforum.org</span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
</span><a href="https://cabforum.org/mailman/listinfo/public"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">https://cabforum.org/mailman/listinfo/public</span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</body>
</html>