[cabfpub] FW: Short lived OCSP signing certificate

Jeremy Rowley jeremy.rowley at digicert.com
Mon Sep 17 15:45:06 UTC 2012

We should modify the baseline requirements to permit CAs to issue short
lived certs on at least an interim basis while we continue discussing their
implementation and use.  That way those CAs and client interested in
analyzing the performance benefits and security risks can do so.  

Let's add this discussion to the face-to-face agenda.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Monday, September 17, 2012 9:26 AM
To: Rob Stradling
Cc: Mads Egil Henriksveen; public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

On 17/09/12 16:07, Rob Stradling wrote:
> On 17/09/12 15:43, Gervase Markham wrote:
>> One advantage of C over B is that it requires no infrastructure changes.
> Gerv, which infrastructure(s) are you referring to?

Yes, sorry, I misspoke. Try this instead:

"One advantage of C over B is that no client-side changes are required, and
it can be rolled out on a per-site basis at a speed appropriate for each
site and their partner CA".

> I think most browsers would need some changes too.  I'm not aware of 
> any browser that avoids doing online revocation checks just because 
> the cert is short-lived (or is sufficiently fresh).  (And if online 
> revocation checks are not being avoided, what's the point of 
> short-lived certs?)

Firefox does not to online revocation checks if there is no revocation
information embedded in the cert :-) I believe this is a feature of most
imaginings of this plan.

> I think the BRs and EVGs may need some changes too, if the consensus 
> is that short-lived certs are permitted to contain zero CRL/OCSP URLs.
> (IIRC, opinions are divided on this point).

See above :-)

Public mailing list
Public at cabforum.org

More information about the Public mailing list