[cabfpub] FW: Short lived OCSP signing certificate
Erwann Abalea
erwann.abalea at keynectis.com
Tue Sep 18 16:43:14 UTC 2012
Bonjour,
Le 18/09/2012 18:17, Gervase Markham a écrit :
> On 18/09/12 17:05, Rich Smith wrote:
>
>> similar fashion. The disconnect here seems to be that the relying
>> parties take that 10 day lifespan to mean that they can leave off
>> checking to 10 day intervals and that is faulty reasoning.
> I don't think that's so. AIUI CRLs define how often they should be
> rechecked and Firefox, when checking CRLs, respects those time periods.
> Do you know of a browser which doesn't?
CRLs don't define how often they should be rechecked.
They optionally provide a nextUpdate field, which is defined as the
latest date at which a new CRL will be issued, and the CA is free to
issue any number of CRLs they want before that date, and a RP is free to
frequently check if a new CRL has been issued. The nextUpdate found in
an OCSP response has the exact same semantic.
The nextUpdate and issue frequency are not correlated.
--
Erwann ABALEA
-----
parturiophone: enceinte acoustique
More information about the Public
mailing list