[cabfpub] FW: Short lived OCSP signing certificate

Rich Smith richard.smith at comodo.com
Tue Sep 18 17:53:44 UTC 2012

> -----Original Message-----
> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
> Sent: Tuesday, September 18, 2012 12:57 PM
> Our proposal was a seven day validity period.  We selected that time
> period because of clock synchronization issues and because it's a
> typically caching interval for longer-lived certificates.
[RWS] If that's what the current spec allows then IMO if you want to make
something more secure, concentrate on changing that.  Caching revocation
information for 7 days is insane.
> The whole point of short-lived certs is their fast processing compared
> to certs containing certificate revocation information.  Like you said
> Gerv, the whole advantage of short lived certs is eviscerated if
> revocation information is included.
[RWS] Why and how?  Like I said, what the relying party does with the
information once we've provided it is up to them.
> The baseline requirements are not intended to stifle innovation and
> progress.  That is the reason the validation sections are broad and
> open ended.  We should be permitting new ideas and developments
> provided that these ideas  provide similar levels of security and
> assurance.
[RWS] I don't see how leaving a certificate which should be revoked
un-revoked for up to 7 days provides any level of security or assurance.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120918/8c78cc3c/attachment-0004.bin>

More information about the Public mailing list