[cabfpub] FW: Short lived OCSP signing certificate
rob.stradling at comodo.com
Wed Sep 19 08:15:23 UTC 2012
On 18/09/12 17:56, Jeremy Rowley wrote:
> Our proposal was a seven day validity period. We selected that time period
> because of clock synchronization issues and because it's a typically caching
> interval for longer-lived certificates.
> The whole point of short-lived certs is their fast processing compared to
> certs containing certificate revocation information.
Yes, faster processing is one benefit of avoiding online revocation
checks, but I don't agree that faster processing is "the whole point of
The other (more important, IMHO) point of the short-lived certs proposal
is that it aims to provide effective, hard-fail revocation (realized by
certificate expiry) without the false negatives inherent in hard-fail
online revocation checking.
Whether or not the short-lived certs proposal actually achieves this is
open to question, I think. Don't most browsers treat expired certs as
less bad than certs they know to be revoked?
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public