[cabfpub] FW: Short lived OCSP signing certificate

Rob Stradling rob.stradling at comodo.com
Thu Sep 20 08:48:41 UTC 2012

On 20/09/12 09:36, Eddy Nigg (StartCom Ltd.) wrote:
> On 09/20/2012 11:26 AM, From Rob Stradling:
>> Or, does the current treatment of expired long-lived certificates need
>> to change? During a long-lived certificate's lifetime, many browsers
>> will notice if it gets revoked. But as soon as that revoked
>> certificate expires, those same browsers will presumably start
>> treating that certificate no differently than they would treat an
>> expired certificate that was never revoked.
> Some browsers will check certificate status nevertheless.

The PKIX specs don't require CRL/OCSP services to cover expired 
certificates, so there's no guarantee that a browser would be able to 
discover that an expired certificate was once revoked.

> But certainly certificates that expired shouldn't be relied upon.

Do you think browsers should block access to sites that use expired 
certs (in the same way that they block access to sites that use revoked 

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list