[cabfpub] FW: Short lived OCSP signing certificate

Yngve N. Pettersen yngve at opera.com
Wed Sep 19 13:53:56 UTC 2012

On Wed, 19 Sep 2012 10:15:23 +0200, Rob Stradling  
<rob.stradling at comodo.com> wrote:

> On 18/09/12 17:56, Jeremy Rowley wrote:
>> Our proposal was a seven day validity period.  We selected that time  
>> period
>> because of clock synchronization issues and because it's a typically  
>> caching
>> interval for longer-lived certificates.
>> The whole point of short-lived certs is their fast processing compared  
>> to
>> certs containing certificate revocation information.
> Yes, faster processing is one benefit of avoiding online revocation
> checks, but I don't agree that faster processing is "the whole point of
> short-lived certs".
> The other (more important, IMHO) point of the short-lived certs proposal
> is that it aims to provide effective, hard-fail revocation (realized by
> certificate expiry) without the false negatives inherent in hard-fail
> online revocation checking.
> Whether or not the short-lived certs proposal actually achieves this is
> open to question, I think.  Don't most browsers treat expired certs as
> less bad than certs they know to be revoked?

Considering that AFAIK all browsers allow the user to click through to a  
site with an expired certificate, and most, if not all, does not allow  
that for positively revoked certificates, I would say that is correct.

Making shortlived certificates hardfail similar to revocation would  
require recoding clients to recognize shortlived certificates somehow, and  
treat an expired shortlived certificate differently than a longer lived  

Yngve N. Pettersen

Senior Developer                     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01

More information about the Public mailing list