[cabfpub] FW: Short lived OCSP signing certificate

Rick Andrews Rick_Andrews at symantec.com
Wed Sep 19 16:10:38 UTC 2012 

Why not just re-use the id-pkix-ocsp-nocheck extension?

-Rick

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Ben Wilson
> Sent: Wednesday, September 19, 2012 8:16 AM
> To: 'Yngve N. Pettersen'; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> What about a CABF OID for this type of certificate?  Somebody could create a
> certificate profile that both CAs and Browsers recognize and follow.
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Yngve N. Pettersen
> Sent: Wednesday, September 19, 2012 7:54 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> On Wed, 19 Sep 2012 10:15:23 +0200, Rob Stradling <rob.stradling at comodo.com>
> wrote:
> 
> > On 18/09/12 17:56, Jeremy Rowley wrote:
> >> Our proposal was a seven day validity period.  We selected that time
> >> period because of clock synchronization issues and because it's a
> >> typically caching interval for longer-lived certificates.
> >>
> >> The whole point of short-lived certs is their fast processing
> >> compared to certs containing certificate revocation information.
> >
> > Yes, faster processing is one benefit of avoiding online revocation
> > checks, but I don't agree that faster processing is "the whole point
> > of short-lived certs".
> >
> > The other (more important, IMHO) point of the short-lived certs
> > proposal is that it aims to provide effective, hard-fail revocation
> > (realized by certificate expiry) without the false negatives inherent
> > in hard-fail online revocation checking.
> > Whether or not the short-lived certs proposal actually achieves this
> > is open to question, I think.  Don't most browsers treat expired certs
> > as less bad than certs they know to be revoked?
> 
> Considering that AFAIK all browsers allow the user to click through to a
> site with an expired certificate, and most, if not all, does not allow that
> for positively revoked certificates, I would say that is correct.
> 
> Making shortlived certificates hardfail similar to revocation would require
> recoding clients to recognize shortlived certificates somehow, and treat an
> expired shortlived certificate differently than a longer lived certificate.
> 
> 
> --
> Sincerely,
> Yngve N. Pettersen
> 
> ********************************************************************
> Senior Developer                     Email: yngve at opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
> ********************************************************************
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list