[cabfpub] FW: Short lived OCSP signing certificate

[Bjørn Vermo]

On 21. Sep, 2012, at 01:38 , Robert Relyea wrote:

> On 09/20/2012 01:56 AM, Ryan Hurst wrote:
>> I personally do.
> As a security person, I would agree with you. As someone who at one  
> point implemented this for a short period in what was a major  
> browser at the time (early Netscape days), I can say there is a  
> definite difference in the number of false positives. In the  
> revocation case, there is very close to zero false positives. If I  
> get an indication that the cert was revoked, I can be extremely  
> confident that the cert is bad and that there is no reasonable  
> reason the user should be able to override blocking the site. In the  
> expiration case, there is a relatively high rate of false positives,  
> that is certs that are expired because the admin forgot to renew  
> them. The number of expired certs which are actually being used as  
> attacks versus the number of expired certs that exist because of  
> misconfiguration is small, so not allowing the user to override them  
> generates bad will with the users (though we have progressively made  
> overriding less friendly to users, which has reduced the actual  
> number of expired certs active at any time in the wild).
>
> We agree that expired certs are bad, and we treat them as untrusted,  
> but because there is a high incidence of false positives, we allow  
> them to be overridden (just like untrusted is overridable).


On the other hand, there used to be a different set of "false  
positives" that has almost disappeared. Early on, it was not uncommon  
that even serious companies forgot to renew their domain. People could  
suddenly not reach their website. Because of that drastic consequence,  
this hardly ever happens any more.

One might also wonder if a site that is not able to keep their  
certificates current and valid also has lax routines in other areas,  
so that a lack of trust is appropriate.

-- 
bv