[cabfpub] FW: Short lived OCSP signing certificate

Rob Stradling rob.stradling at comodo.com
Wed Sep 19 08:15:23 UTC 2012

On 18/09/12 17:56, Jeremy Rowley wrote:
> Our proposal was a seven day validity period.  We selected that time period
> because of clock synchronization issues and because it's a typically caching
> interval for longer-lived certificates.
> The whole point of short-lived certs is their fast processing compared to
> certs containing certificate revocation information.

Yes, faster processing is one benefit of avoiding online revocation 
checks, but I don't agree that faster processing is "the whole point of 
short-lived certs".

The other (more important, IMHO) point of the short-lived certs proposal 
is that it aims to provide effective, hard-fail revocation (realized by 
certificate expiry) without the false negatives inherent in hard-fail 
online revocation checking.
Whether or not the short-lived certs proposal actually achieves this is 
open to question, I think.  Don't most browsers treat expired certs as 
less bad than certs they know to be revoked?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list