[cabfpub] Short lived OCSP signing certificate

Ryan Hurst ryan.hurst at globalsign.com
Wed Sep 19 03:24:15 UTC 2012

Personally I am believe that:

1. Certificate Authorities are in the best position to determine if they are
able and/or do publish revocation information frequently enough to warrant
inclusion of revocation pointers in a certificate.

2. Clients have the right to decide that a certificate that does not contain
a revocation pointer is sufficiently trustworthy however I do not advocate
this approach and instead prefer a concept of being sufficiently fresh or
have revocation information.

3. That certificates that claim BR compliance must contain revocation

4. Historically the absence of revocation pointers has been accepted as a CA
stating they have made that determination and have decided that it's not
appropriate to do so, this is true in OCSP and existing short lived
certificate deployments and every chain validation implementation I have
worked with.

5. That the clock-skew data shared by Comodo has shown that there are some
practical limits to how short revocation messages and/or short lived
certificates can be without causing problems.

6. If we update the BRs to accommodate short lived certificates (which I
think we should do) the shortness of a "short lived certificate" that does
not contain revocation pointers would be gated by the maximum validity
period for a revocation status message. In other words if we say in the BRs
a OCSP message needs to be updated at least every 5 days then a short lived
certificate can be not be valid for longer than 5 days. This is because it
is logically the same risk of a long lived certificate that was issued and
had a "good" response generated and cached moments prior to its revocation.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Geoff Keating
Sent: Wednesday, September 19, 2012 7:48 AM
To: richard.smith at comodo.com
Cc: 'Mads Egil Henriksveen'; 'CABFPub'
Subject: Re: [cabfpub] Short lived OCSP signing certificate

On Sep 18, 2012, at 2:23 PM, Rich Smith <richard.smith at comodo.com> wrote:

> The browsers have the ability to decide to treat short lived 
> certificates any way they see fit whether revocation information is 
> there or not.

Can a browser really do that?  If a certificate has a 5-day lifespan and has
revocation information, there's no reason the revocation information
couldn't be published daily, or hourly, and in that case it would still need
to be checked.

I appreciate the argument that revocation information is still useful even
if it would initially be issued as 'valid for 10 days' on a 5-day
certificate, because the certificate could be revoked after 2 days.  However
this is only sometimes a concern, and is something that could be addressed
with risk management by CAs; for example, perhaps certificates to a new
customer would always have revocation information for the first 20 days.
>From the browser point of view, we can't rely on a revocation being valid
until previous responses have expired, since they could be cached even
outside the browser (in a HTTP proxy for example).
Public mailing list
Public at cabforum.org

More information about the Public mailing list