[cabfpub] [cabfman] Short Lived Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Fri Jul 27 18:56:48 UTC 2012

Many DV suppliers already operate in an automated fashion.  Do they ever look at the issued certificates?  I’m not sure how an automated system will increase risks over the current practices.  If there was a requirement that each certificate be reviewed manually, then I would agree with you.  This is not the case.




From: management-bounces at cabforum.org [mailto:management-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, July 27, 2012 12:47 PM
To: public at cabforum.org
Cc: management at cabforum.org
Subject: Re: [cabfman] [cabfpub] Short Lived Certificates


On 07/27/2012 09:36 PM, From kirk_hall at trendmicro.com: 

Jeremy, even if an attacker could cache and supply a previously good response (clearly a problem) – wouldn’t that be the rare case?  


More likely a short lived cert might be revoked soon after issuance because of a key compromise, etc. – in those cases, quick revocation with required OCSP responses would, in fact, deliver correct revocation information (“revoked”)  to the vast majority of relying parties (as no attacker would be devilishly supplying cached but incorrect good responses to relying parties in those cases).

We have been through this discussion already a few times and one of the clear risks involved that nobody seems to consider right now is the necessity to issue new certificates on a regular basis (turn-over) very frequently and most likely in an automated fashion. Those certificates will also have to be installed in a similar (automated) manner. There are risks when doing so and removes the ability to closely monitor issuance and review of the certificates or at least it makes it a lot harder, being it at the CA or at the subscriber side. Assuming that every week a bunch of those certificates have be pushed out, with increasing numbers the risk grows exceptionally.

A CA that issues tens or hundred of thousands of certificates per year would have to issue the same amount of certificates times 52. I can't see how any due diligence can be done here. And done tell me that the issuing systems are all secured beyond any doubt that no human intervention and monitoring is necessary.




Eddy Nigg, COO/CTO


StartCom Ltd. <http://www.startcom.org> 


startcom at startcom.org


Join the Revolution! <http://blog.startcom.org> 


Follow Me <http://twitter.com/eddy_nigg> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120727/60157afe/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5409 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120727/60157afe/attachment-0002.p7s>

More information about the Public mailing list