[cabfpub] FW: Short lived OCSP signing certificate

Gervase Markham gerv at mozilla.org
Mon Sep 17 15:25:49 UTC 2012

On 17/09/12 16:07, Rob Stradling wrote:
> On 17/09/12 15:43, Gervase Markham wrote:
>> One advantage of C over B is that it requires no infrastructure changes.
> Gerv, which infrastructure(s) are you referring to?

Yes, sorry, I misspoke. Try this instead:

"One advantage of C over B is that no client-side changes are required, 
and it can be rolled out on a per-site basis at a speed appropriate for 
each site and their partner CA".

> I think most browsers would need some changes too.  I'm not aware of any
> browser that avoids doing online revocation checks just because the cert
> is short-lived (or is sufficiently fresh).  (And if online revocation
> checks are not being avoided, what's the point of short-lived certs?)

Firefox does not to online revocation checks if there is no revocation 
information embedded in the cert :-) I believe this is a feature of most 
imaginings of this plan.

> I think the BRs and EVGs may need some changes too, if the consensus is
> that short-lived certs are permitted to contain zero CRL/OCSP URLs.
> (IIRC, opinions are divided on this point).

See above :-)


More information about the Public mailing list