[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

[Gervase Markham]

On 23/03/13 05:23, Ryan Sleevi wrote:
> If the CA has issued a valid, signed OCSP response, then they have no
> ability to revoke that certificate for any client that supports
> stapling, until that OCSP response expires.

And if I were an attacker, the very first thing I'd go, on obtaining my
dodgy cert, would be to grab a valid OCSP response for it so I had that
in the bank too.

>     Finally, I’m guessing that any short lived cert issuance process is
>     going to be totally automatic – machine to machine from CA to
>     customer – repeated constantly unless turned off – without human
>     intervention unless something goes wrong.  I don’t trust automatic
>     processes like that – how will the new short lived certs get through
>     the customer’s firewalls to be installed, and how will the customer
>     be sure the new cert is automatically installed correctly on the
>     right servers – so I see potential new vectors for attack (or simple
>     screw up).
> 
> While understandable that there are technical complexities, the
> CA/Browser Forum should not attempt to prevent new markets or new
> techniques that can improve security - especially when they are
> demonstrably no worse than the existing security guarantees provided to
> relying parties by forum members.

I agree with Ryan that blocking this proposal on these particular
grounds would put us on a very sticky wicket.

Gerv