[cabfpub] Short lived OCSP signing certificate

[Geoff Keating]

On Sep 18, 2012, at 2:23 PM, Rich Smith <richard.smith at comodo.com> wrote:

> The browsers have the ability to decide to treat short lived
> certificates any way they see fit whether revocation information is there or
> not.

Can a browser really do that?  If a certificate has a 5-day lifespan and has revocation information, there's no reason the revocation information couldn't be published daily, or hourly, and in that case it would still need to be checked.

I appreciate the argument that revocation information is still useful even if it would initially be issued as 'valid for 10 days' on a 5-day certificate, because the certificate could be revoked after 2 days.  However this is only sometimes a concern, and is something that could be addressed with risk management by CAs; for example, perhaps certificates to a new customer would always have revocation information for the first 20 days.  From the browser point of view, we can't rely on a revocation being valid until previous responses have expired, since they could be cached even outside the browser (in a HTTP proxy for example).