[cabfpub] FW: Short lived OCSP signing certificate

Ryan Hurst ryan.hurst at globalsign.com
Thu Sep 20 08:56:44 UTC 2012

I personally do.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rob Stradling
Sent: Thursday, September 20, 2012 5:49 PM
To: Eddy Nigg (StartCom Ltd.)
Cc: public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

On 20/09/12 09:36, Eddy Nigg (StartCom Ltd.) wrote:
> On 09/20/2012 11:26 AM, From Rob Stradling:
>> Or, does the current treatment of expired long-lived certificates 
>> need to change? During a long-lived certificate's lifetime, many 
>> browsers will notice if it gets revoked. But as soon as that revoked 
>> certificate expires, those same browsers will presumably start 
>> treating that certificate no differently than they would treat an 
>> expired certificate that was never revoked.
> Some browsers will check certificate status nevertheless.

The PKIX specs don't require CRL/OCSP services to cover expired
certificates, so there's no guarantee that a browser would be able to
discover that an expired certificate was once revoked.

> But certainly certificates that expired shouldn't be relied upon.

Do you think browsers should block access to sites that use expired certs
(in the same way that they block access to sites that use revoked certs)?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Public mailing list
Public at cabforum.org

More information about the Public mailing list