[cabfpub] Short lived OCSP signing certificate
geoffk at apple.com
Tue Sep 18 22:48:29 UTC 2012
On Sep 18, 2012, at 2:23 PM, Rich Smith <richard.smith at comodo.com> wrote:
> The browsers have the ability to decide to treat short lived
> certificates any way they see fit whether revocation information is there or
Can a browser really do that? If a certificate has a 5-day lifespan and has revocation information, there's no reason the revocation information couldn't be published daily, or hourly, and in that case it would still need to be checked.
I appreciate the argument that revocation information is still useful even if it would initially be issued as 'valid for 10 days' on a 5-day certificate, because the certificate could be revoked after 2 days. However this is only sometimes a concern, and is something that could be addressed with risk management by CAs; for example, perhaps certificates to a new customer would always have revocation information for the first 20 days. From the browser point of view, we can't rely on a revocation being valid until previous responses have expired, since they could be cached even outside the browser (in a HTTP proxy for example).
More information about the Public