[cabfpub] FW: Short lived OCSP signing certificate

Erwann Abalea erwann.abalea at keynectis.com
Tue Sep 18 16:43:14 UTC 2012


Le 18/09/2012 18:17, Gervase Markham a écrit :
> On 18/09/12 17:05, Rich Smith wrote:
>> similar fashion.  The disconnect here seems to be that the relying
>> parties take that 10 day lifespan to mean that they can leave off
>> checking to 10 day intervals and that is faulty reasoning.
> I don't think that's so. AIUI CRLs define how often they should be
> rechecked and Firefox, when checking CRLs, respects those time periods.
> Do you know of a browser which doesn't?

CRLs don't define how often they should be rechecked.

They optionally provide a nextUpdate field, which is defined as the 
latest date at which a new CRL will be issued, and the CA is free to 
issue any number of CRLs they want before that date, and a RP is free to 
frequently check if a new CRL has been issued. The nextUpdate found in 
an OCSP response has the exact same semantic.
The nextUpdate and issue frequency are not correlated.

parturiophone: enceinte acoustique

More information about the Public mailing list