[cabfpub] FW: Short lived OCSP signing certificate

Ryan Hurst ryan.hurst at globalsign.com
Wed Sep 19 16:07:44 MST 2012


In my experience this is not supported by most clients.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Thursday, September 20, 2012 1:11 AM
To: ben at digicert.com; 'Yngve N. Pettersen'; public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

Why not just re-use the id-pkix-ocsp-nocheck extension?

-Rick

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> On Behalf Of Ben Wilson
> Sent: Wednesday, September 19, 2012 8:16 AM
> To: 'Yngve N. Pettersen'; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> What about a CABF OID for this type of certificate?  Somebody could 
> create a certificate profile that both CAs and Browsers recognize and
follow.
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> On Behalf Of Yngve N. Pettersen
> Sent: Wednesday, September 19, 2012 7:54 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> On Wed, 19 Sep 2012 10:15:23 +0200, Rob Stradling 
> <rob.stradling at comodo.com>
> wrote:
> 
> > On 18/09/12 17:56, Jeremy Rowley wrote:
> >> Our proposal was a seven day validity period.  We selected that 
> >> time period because of clock synchronization issues and because 
> >> it's a typically caching interval for longer-lived certificates.
> >>
> >> The whole point of short-lived certs is their fast processing 
> >> compared to certs containing certificate revocation information.
> >
> > Yes, faster processing is one benefit of avoiding online revocation 
> > checks, but I don't agree that faster processing is "the whole point 
> > of short-lived certs".
> >
> > The other (more important, IMHO) point of the short-lived certs 
> > proposal is that it aims to provide effective, hard-fail revocation 
> > (realized by certificate expiry) without the false negatives 
> > inherent in hard-fail online revocation checking.
> > Whether or not the short-lived certs proposal actually achieves this 
> > is open to question, I think.  Don't most browsers treat expired 
> > certs as less bad than certs they know to be revoked?
> 
> Considering that AFAIK all browsers allow the user to click through to 
> a site with an expired certificate, and most, if not all, does not 
> allow that for positively revoked certificates, I would say that is
correct.
> 
> Making shortlived certificates hardfail similar to revocation would 
> require recoding clients to recognize shortlived certificates somehow, 
> and treat an expired shortlived certificate differently than a longer
lived certificate.
> 
> 
> --
> Sincerely,
> Yngve N. Pettersen
> 
> ********************************************************************
> Senior Developer                     Email: yngve at opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
> ********************************************************************
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list