[cabfpub] FW: Short lived OCSP signing certificate

Gervase Markham gerv at mozilla.org
Tue Sep 18 16:17:45 UTC 2012


On 18/09/12 17:05, Rich Smith wrote:
> I am still opposed to issuance of any certificate without revocation
> information.  Yes, the BRs allow a signed OCSP response to be good for
> 10 days.

I've not heard a proposal for short-life certificates for as long as 10 
days. 3 was what was on the table last time, IIRC.

> similar fashion.  The disconnect here seems to be that the relying
> parties take that 10 day lifespan to mean that they can leave off
> checking to 10 day intervals and that is faulty reasoning.

I don't think that's so. AIUI CRLs define how often they should be 
rechecked and Firefox, when checking CRLs, respects those time periods. 
Do you know of a browser which doesn't?

> contention.  There is absolutely no reason that a short-lived
> certificate REQUIRES the absence of revocation information.

If a certificate contains revocation information, what advantage would 
there be in making it short-lived?

To put it another way: my understanding is that short-lived certificates 
were a proposed solution, requiring no client-side changes, to various 
issues with revocation (and certificate size). We can debate whether 
they actually work in that role or not, but I don't see the value of the 
short-livedness if revocation info is included.

> The only
> reason I can see is that some parties don't want to be held to account
> for not properly checking the revocation status, so if the information
> is not there they're off the hook.

I'm not sure who you mean here, but my interest in this is nothing to do 
with any advantage to Firefox. I just think it might be a good solution 
to some problems - as do, or at least did, Google, from a "owner of lots 
of big servers" point of view.

Gerv



More information about the Public mailing list