[cabfpub] FW: Short lived OCSP signing certificate

Rich Smith richard.smith at comodo.com
Thu Sep 20 18:06:32 UTC 2012

I would say that that's yet another reason why they are not a good solution
to the revocation problem, but to be fair and honest anything we come up
with will likely present a similar problem for the installed base.  

-----Original Message-----
From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Thursday, September 20, 2012 1:52 PM
To: Rich Smith
Cc: Eddy Nigg (StartCom Ltd.); public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

On Thu, Sep 20, 2012 at 8:51 AM, Rich Smith <richard.smith at comodo.com>
> I'd like to hear from the browsers on this.  IMO if they are not going to
change the behavior to hard fail on expiration then there is really no point
in even continuing to discuss short lived certs as a solution to the
revocation problem.
> -Rich

Even if they change behaviour - and for short-lived certs, this is probably
reasonable - what about the existing deployed clients and browsers that are
no longer being updated?

More information about the Public mailing list