[cabfpub] FW: Short lived OCSP signing certificate
Yngve N. Pettersen
yngve at opera.com
Tue Sep 18 09:53:28 MST 2012
On Tue, 18 Sep 2012 18:41:39 +0200, Rich Smith <richard.smith at comodo.com>
wrote:
> Gerv, short-lived certs have certain advantages, but I don't see them as
> a solution to revocation. I do see them as a solution to requiring
> browsers needing to add a long-lived cert to an internally maintained
> blacklist which can only be updated by an application update.
Site certificates should never be added to an application blacklist. That
is what the revocation functionality is for. The only case in which such
certificates may be added is if there is no revocation option (as was the
case with the Malaysian CA last year), and then only for as long as it
takes to revoke the issuer.
However: In case an attacker blocks revocation checks, then this apprach
depends on how the application treats that missing revocation response.
IMO the browser should remove all "this is secure" indications when that
happens (which is what Opera does), at least as long as hard fail is not a
feasible option.
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 23 69 32 60 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list