[cabfpub] FW: Short lived OCSP signing certificate
rob.stradling at comodo.com
Thu Sep 20 08:48:41 UTC 2012
On 20/09/12 09:36, Eddy Nigg (StartCom Ltd.) wrote:
> On 09/20/2012 11:26 AM, From Rob Stradling:
>> Or, does the current treatment of expired long-lived certificates need
>> to change? During a long-lived certificate's lifetime, many browsers
>> will notice if it gets revoked. But as soon as that revoked
>> certificate expires, those same browsers will presumably start
>> treating that certificate no differently than they would treat an
>> expired certificate that was never revoked.
> Some browsers will check certificate status nevertheless.
The PKIX specs don't require CRL/OCSP services to cover expired
certificates, so there's no guarantee that a browser would be able to
discover that an expired certificate was once revoked.
> But certainly certificates that expired shouldn't be relied upon.
Do you think browsers should block access to sites that use expired
certs (in the same way that they block access to sites that use revoked
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public