[cabfpub] FW: Short lived OCSP signing certificate

Ben Wilson ben at digicert.com
Wed Sep 19 15:16:03 UTC 2012

What about a CABF OID for this type of certificate?  Somebody could create a
certificate profile that both CAs and Browsers recognize and follow.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Yngve N. Pettersen
Sent: Wednesday, September 19, 2012 7:54 AM
To: public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

On Wed, 19 Sep 2012 10:15:23 +0200, Rob Stradling <rob.stradling at comodo.com>

> On 18/09/12 17:56, Jeremy Rowley wrote:
>> Our proposal was a seven day validity period.  We selected that time 
>> period because of clock synchronization issues and because it's a 
>> typically caching interval for longer-lived certificates.
>> The whole point of short-lived certs is their fast processing 
>> compared to certs containing certificate revocation information.
> Yes, faster processing is one benefit of avoiding online revocation 
> checks, but I don't agree that faster processing is "the whole point 
> of short-lived certs".
> The other (more important, IMHO) point of the short-lived certs 
> proposal is that it aims to provide effective, hard-fail revocation 
> (realized by certificate expiry) without the false negatives inherent 
> in hard-fail online revocation checking.
> Whether or not the short-lived certs proposal actually achieves this 
> is open to question, I think.  Don't most browsers treat expired certs 
> as less bad than certs they know to be revoked?

Considering that AFAIK all browsers allow the user to click through to a
site with an expired certificate, and most, if not all, does not allow that
for positively revoked certificates, I would say that is correct.

Making shortlived certificates hardfail similar to revocation would require
recoding clients to recognize shortlived certificates somehow, and treat an
expired shortlived certificate differently than a longer lived certificate.

Yngve N. Pettersen

Senior Developer                     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
Public mailing list
Public at cabforum.org

More information about the Public mailing list