[cabfpub] Short lived OCSP signing certificate

Mads Egil Henriksveen Mads.Henriksveen at buypass.no
Tue Sep 18 23:32:07 MST 2012 

Hi Geoff

This is interesting - you are saying: 
	From the browser point of view, we can't rely on a revocation being valid until previous responses have expired, 
	since they could be cached even outside the browser (in a HTTP proxy for example).

If an OCSP response is valid for 10 days, then (some) browsers will not get a new fresh OCSP response until the previous one has expired (!?). Then using a short lived Subscriber certificate with a lifetime of 10 days without revocation information should be equivalent in terms of "ability to distribute revocation information" to the browsers using the current infrastructure. 

I guess browsers have their own strategies for updating revocation information, but if the distribution of the revocation information depends on infrastructure components outside CA/browser control (proxies, routers etc), we might have a problem. 

Mads


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating
Sent: 19. september 2012 00:48
To: richard.smith at comodo.com
Cc: Mads Egil Henriksveen; 'CABFPub'
Subject: Re: [cabfpub] Short lived OCSP signing certificate


On Sep 18, 2012, at 2:23 PM, Rich Smith <richard.smith at comodo.com> wrote:

> The browsers have the ability to decide to treat short lived
> certificates any way they see fit whether revocation information is there or
> not.

Can a browser really do that?  If a certificate has a 5-day lifespan and has revocation information, there's no reason the revocation information couldn't be published daily, or hourly, and in that case it would still need to be checked.

I appreciate the argument that revocation information is still useful even if it would initially be issued as 'valid for 10 days' on a 5-day certificate, because the certificate could be revoked after 2 days.  However this is only sometimes a concern, and is something that could be addressed with risk management by CAs; for example, perhaps certificates to a new customer would always have revocation information for the first 20 days.  From the browser point of view, we can't rely on a revocation being valid until previous responses have expired, since they could be cached even outside the browser (in a HTTP proxy for example).
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list