[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

Ryan Sleevi sleevi at google.com
Sat Mar 23 00:44:11 UTC 2013

On Fri, Mar 22, 2013 at 5:38 PM, Rick Andrews <Rick_Andrews at symantec.com>wrote:

> I’m very much in agreement with Eddy on this.****
> ** **
> Consider this: If I take the basic argument that you don’t need to check
> revocation on a short lived cert (say, valid for 7 days) because the CA’s
> OCSP responses are also good for 7 days, then I would claim that when SSL
> clients (browsers) see a long-lived SSL certificate, they can skip
> revocation checking if the cert is less than 7 days old. I certainly
> wouldn’t want browsers to do that.****
> ** **
> -Rick

I'm not sure I follow your logic, Rick.

If the browser has obtained a valid OCSP response (eg: via OCSP stapling),
they can skip obtaining fresh revocation information - because to every
compliant implementation, it IS fresh revocation information.

If there's NO revocation information, I don't think the same argument

The point of the discussion here is not about what the exact behaviour is -
but what the effective security is. And in the case of short-lived certs,
the effective security is identical.

It's certainly reasonable to discuss whether the effective security is
IDEAL, but that's a separate discussion than the one we're having - which
is establishing whether or not the effective security of a short-lived cert
is the same effective security as providing revocation information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130322/f7dea154/attachment-0003.html>

More information about the Public mailing list