[cabfpub] FW: Short lived OCSP signing certificate
gerv at mozilla.org
Mon Sep 17 15:25:49 UTC 2012
On 17/09/12 16:07, Rob Stradling wrote:
> On 17/09/12 15:43, Gervase Markham wrote:
>> One advantage of C over B is that it requires no infrastructure changes.
> Gerv, which infrastructure(s) are you referring to?
Yes, sorry, I misspoke. Try this instead:
"One advantage of C over B is that no client-side changes are required,
and it can be rolled out on a per-site basis at a speed appropriate for
each site and their partner CA".
> I think most browsers would need some changes too. I'm not aware of any
> browser that avoids doing online revocation checks just because the cert
> is short-lived (or is sufficiently fresh). (And if online revocation
> checks are not being avoided, what's the point of short-lived certs?)
Firefox does not to online revocation checks if there is no revocation
information embedded in the cert :-) I believe this is a feature of most
imaginings of this plan.
> I think the BRs and EVGs may need some changes too, if the consensus is
> that short-lived certs are permitted to contain zero CRL/OCSP URLs.
> (IIRC, opinions are divided on this point).
See above :-)
More information about the Public