[cabfpub] FW: Short lived OCSP signing certificate

Rick Andrews Rick_Andrews at symantec.com
Thu Sep 20 15:05:07 MST 2012 

+1

A site owner may discard or fail to protect the private key for a cert that they've revoked. By waiting until the cert expires, a malicious insider can take the private key and use it. If clients can't tell the difference between (revoked, then expired) and (expired, never revoked), they should assume the worst case.

-Rick

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Ryan Hurst
> Sent: Thursday, September 20, 2012 1:57 AM
> To: 'Rob Stradling'; 'Eddy Nigg (StartCom Ltd.)'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> I personally do.
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Rob Stradling
> Sent: Thursday, September 20, 2012 5:49 PM
> To: Eddy Nigg (StartCom Ltd.)
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> On 20/09/12 09:36, Eddy Nigg (StartCom Ltd.) wrote:
> >
> > On 09/20/2012 11:26 AM, From Rob Stradling:
> >> Or, does the current treatment of expired long-lived certificates
> >> need to change? During a long-lived certificate's lifetime, many
> >> browsers will notice if it gets revoked. But as soon as that revoked
> >> certificate expires, those same browsers will presumably start
> >> treating that certificate no differently than they would treat an
> >> expired certificate that was never revoked.
> >
> > Some browsers will check certificate status nevertheless.
> 
> The PKIX specs don't require CRL/OCSP services to cover expired
> certificates, so there's no guarantee that a browser would be able to
> discover that an expired certificate was once revoked.
> 
> > But certainly certificates that expired shouldn't be relied upon.
> 
> Do you think browsers should block access to sites that use expired certs
> (in the same way that they block access to sites that use revoked certs)?
> 
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list