[cabfpub] FW: Short lived OCSP signing certificate
Rob Stradling
rob.stradling at comodo.com
Thu Sep 20 08:26:46 UTC 2012
On 19/09/12 14:53, Yngve N. Pettersen wrote:
> On Wed, 19 Sep 2012 10:15:23 +0200, Rob Stradling
> <rob.stradling at comodo.com> wrote:
<snip>
>> Whether or not the short-lived certs proposal actually achieves this is
>> open to question, I think. Don't most browsers treat expired certs as
>> less bad than certs they know to be revoked?
>
> Considering that AFAIK all browsers allow the user to click through to a
> site with an expired certificate, and most, if not all, does not allow
> that for positively revoked certificates, I would say that is correct.
>
> Making shortlived certificates hardfail similar to revocation would
> require recoding clients to recognize shortlived certificates somehow, and
> treat an expired shortlived certificate differently than a longer lived
> certificate.
Or, does the current treatment of expired long-lived certificates need
to change?
During a long-lived certificate's lifetime, many browsers will notice if
it gets revoked. But as soon as that revoked certificate expires, those
same browsers will presumably start treating that certificate no
differently than they would treat an expired certificate that was never
revoked.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list