[cabfpub] FW: Short lived OCSP signing certificate
Yngve N. Pettersen
yngve at opera.com
Wed Sep 19 13:53:56 UTC 2012
On Wed, 19 Sep 2012 10:15:23 +0200, Rob Stradling
<rob.stradling at comodo.com> wrote:
> On 18/09/12 17:56, Jeremy Rowley wrote:
>> Our proposal was a seven day validity period. We selected that time
>> period
>> because of clock synchronization issues and because it's a typically
>> caching
>> interval for longer-lived certificates.
>>
>> The whole point of short-lived certs is their fast processing compared
>> to
>> certs containing certificate revocation information.
>
> Yes, faster processing is one benefit of avoiding online revocation
> checks, but I don't agree that faster processing is "the whole point of
> short-lived certs".
>
> The other (more important, IMHO) point of the short-lived certs proposal
> is that it aims to provide effective, hard-fail revocation (realized by
> certificate expiry) without the false negatives inherent in hard-fail
> online revocation checking.
> Whether or not the short-lived certs proposal actually achieves this is
> open to question, I think. Don't most browsers treat expired certs as
> less bad than certs they know to be revoked?
Considering that AFAIK all browsers allow the user to click through to a
site with an expired certificate, and most, if not all, does not allow
that for positively revoked certificates, I would say that is correct.
Making shortlived certificates hardfail similar to revocation would
require recoding clients to recognize shortlived certificates somehow, and
treat an expired shortlived certificate differently than a longer lived
certificate.
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 23 69 32 60 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list