[cabfpub] FW: Short lived OCSP signing certificate
Rich Smith
richard.smith at comodo.com
Tue Sep 18 17:53:44 UTC 2012
> -----Original Message-----
> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
> Sent: Tuesday, September 18, 2012 12:57 PM
>
> Our proposal was a seven day validity period. We selected that time
> period because of clock synchronization issues and because it's a
> typically caching interval for longer-lived certificates.
[RWS] If that's what the current spec allows then IMO if you want to make
something more secure, concentrate on changing that. Caching revocation
information for 7 days is insane.
>
> The whole point of short-lived certs is their fast processing compared
> to certs containing certificate revocation information. Like you said
> Gerv, the whole advantage of short lived certs is eviscerated if
> revocation information is included.
[RWS] Why and how? Like I said, what the relying party does with the
information once we've provided it is up to them.
>
> The baseline requirements are not intended to stifle innovation and
> progress. That is the reason the validation sections are broad and
> open ended. We should be permitting new ideas and developments
> provided that these ideas provide similar levels of security and
> assurance.
[RWS] I don't see how leaving a certificate which should be revoked
un-revoked for up to 7 days provides any level of security or assurance.
>
-Rich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120918/8c78cc3c/attachment-0004.bin>
More information about the Public
mailing list