[cabfpub] FW: Short lived OCSP signing certificate

Yngve N. Pettersen yngve at opera.com
Tue Sep 18 16:53:28 UTC 2012

On Tue, 18 Sep 2012 18:41:39 +0200, Rich Smith <richard.smith at comodo.com>  

> Gerv, short-lived certs have certain advantages, but I don't see them as  
> a solution to revocation.  I do see them as a solution to requiring  
> browsers needing to add a long-lived cert to an internally maintained  
> blacklist which can only be updated by an application update.

Site certificates should never be added to an application blacklist. That  
is what the revocation functionality is for. The only case in which such  
certificates may be added is if there is no revocation option (as was the  
case with the Malaysian CA last year), and then only for as long as it  
takes to revoke the issuer.

However: In case an attacker blocks revocation checks, then this apprach  
depends on how the application treats that missing revocation response.  
IMO the browser should remove all "this is secure" indications when that  
happens (which is what Opera does), at least as long as hard fail is not a  
feasible option.

Yngve N. Pettersen

Senior Developer                     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01

More information about the Public mailing list