[cabfpub] FW: Short lived OCSP signing certificate

[Mads Egil Henriksveen]

Hi Gerv

My assumption may be wrong, but I think I remember from the discussions this summer that time/clock synchronism could be an issue (e.g. browsers in smartphones, pads etc). However, since we are talking about a validity period of some days, this might not be a big problem.

And if I'm wrong here, it's just fine :-)

My main concern addressed in this thread was actually about short lived certificates in terms of certificates with no revocation information (or no mechanism to revoke a certificate during the lifetime of the certificate). And since short lived OCSP signing certificates apparently should be short lived (i.e. without revocation information) the applications has to deal with short lived certificates already. It was my impression from the discussions this summer, that there was some issues related to such certificates. 

Regards
Mads

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: 17. september 2012 16:43
To: Mads Egil Henriksveen; public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

Hi Mads,

On 17/09/12 14:40, Mads Egil Henriksveen wrote:
> *C: Short lived certificates*

...

> The application could deal with short lived SSL-certificates in a
> standard way, i.e. discard expired certificates. However, I assume that
> browsers to not support short lived Subscriber certificates properly at
> the moment (?).

Why assume that? Short-lived certificates are just the same, 
technically, as normal certificates which have nearly reached their 
expiry date. Why would browsers not support them properly?

One advantage of C over B is that it requires no infrastructure changes.

Gerv