[cabfpub] Short lived OCSP signing certificate
Mads Egil Henriksveen
Mads.Henriksveen at buypass.no
Wed Sep 19 06:32:07 UTC 2012
This is interesting - you are saying:
From the browser point of view, we can't rely on a revocation being valid until previous responses have expired,
since they could be cached even outside the browser (in a HTTP proxy for example).
If an OCSP response is valid for 10 days, then (some) browsers will not get a new fresh OCSP response until the previous one has expired (!?). Then using a short lived Subscriber certificate with a lifetime of 10 days without revocation information should be equivalent in terms of "ability to distribute revocation information" to the browsers using the current infrastructure.
I guess browsers have their own strategies for updating revocation information, but if the distribution of the revocation information depends on infrastructure components outside CA/browser control (proxies, routers etc), we might have a problem.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating
Sent: 19. september 2012 00:48
To: richard.smith at comodo.com
Cc: Mads Egil Henriksveen; 'CABFPub'
Subject: Re: [cabfpub] Short lived OCSP signing certificate
On Sep 18, 2012, at 2:23 PM, Rich Smith <richard.smith at comodo.com> wrote:
> The browsers have the ability to decide to treat short lived
> certificates any way they see fit whether revocation information is there or
Can a browser really do that? If a certificate has a 5-day lifespan and has revocation information, there's no reason the revocation information couldn't be published daily, or hourly, and in that case it would still need to be checked.
I appreciate the argument that revocation information is still useful even if it would initially be issued as 'valid for 10 days' on a 5-day certificate, because the certificate could be revoked after 2 days. However this is only sometimes a concern, and is something that could be addressed with risk management by CAs; for example, perhaps certificates to a new customer would always have revocation information for the first 20 days. From the browser point of view, we can't rely on a revocation being valid until previous responses have expired, since they could be cached even outside the browser (in a HTTP proxy for example).
Public mailing list
Public at cabforum.org
More information about the Public