[cabfpub] FW: Short lived OCSP signing certificate

Rick Andrews Rick_Andrews at symantec.com
Mon Sep 17 18:59:38 UTC 2012 

Jeremy,

Why can't CAs experiment with these right now by omitting the policy OID indicating compliance with the BR?

-Rick

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Jeremy Rowley
> Sent: Monday, September 17, 2012 8:45 AM
> To: 'Gervase Markham'; 'Rob Stradling'
> Cc: 'Mads Egil Henriksveen'; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> We should modify the baseline requirements to permit CAs to issue short
> lived certs on at least an interim basis while we continue discussing their
> implementation and use.  That way those CAs and client interested in
> analyzing the performance benefits and security risks can do so.
> 
> Let's add this discussion to the face-to-face agenda.
> 
> Jeremy
> 
> 
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Gervase Markham
> Sent: Monday, September 17, 2012 9:26 AM
> To: Rob Stradling
> Cc: Mads Egil Henriksveen; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> On 17/09/12 16:07, Rob Stradling wrote:
> > On 17/09/12 15:43, Gervase Markham wrote:
> >> One advantage of C over B is that it requires no infrastructure changes.
> >
> > Gerv, which infrastructure(s) are you referring to?
> 
> Yes, sorry, I misspoke. Try this instead:
> 
> "One advantage of C over B is that no client-side changes are required, and
> it can be rolled out on a per-site basis at a speed appropriate for each
> site and their partner CA".
> 
> > I think most browsers would need some changes too.  I'm not aware of
> > any browser that avoids doing online revocation checks just because
> > the cert is short-lived (or is sufficiently fresh).  (And if online
> > revocation checks are not being avoided, what's the point of
> > short-lived certs?)
> 
> Firefox does not to online revocation checks if there is no revocation
> information embedded in the cert :-) I believe this is a feature of most
> imaginings of this plan.
> 
> > I think the BRs and EVGs may need some changes too, if the consensus
> > is that short-lived certs are permitted to contain zero CRL/OCSP URLs.
> > (IIRC, opinions are divided on this point).
> 
> See above :-)
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list