[cabfpub] FW: Short lived OCSP signing certificate

Rob Stradling rob.stradling at comodo.com
Thu Sep 20 08:26:46 UTC 2012

On 19/09/12 14:53, Yngve N. Pettersen wrote:
> On Wed, 19 Sep 2012 10:15:23 +0200, Rob Stradling
> <rob.stradling at comodo.com> wrote:
>> Whether or not the short-lived certs proposal actually achieves this is
>> open to question, I think.  Don't most browsers treat expired certs as
>> less bad than certs they know to be revoked?
> Considering that AFAIK all browsers allow the user to click through to a
> site with an expired certificate, and most, if not all, does not allow
> that for positively revoked certificates, I would say that is correct.
> Making shortlived certificates hardfail similar to revocation would
> require recoding clients to recognize shortlived certificates somehow, and
> treat an expired shortlived certificate differently than a longer lived
> certificate.

Or, does the current treatment of expired long-lived certificates need 
to change?

During a long-lived certificate's lifetime, many browsers will notice if 
it gets revoked.  But as soon as that revoked certificate expires, those 
same browsers will presumably start treating that certificate no 
differently than they would treat an expired certificate that was never 

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list