[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sat Mar 23 10:37:53 UTC 2013

On 03/23/2013 02:59 AM, From Rick Andrews:
> My logic was this: I see a 2-year cert that was issued one day ago; 
> the CA must have thought it was valid or it wouldn’t have issued it; 
> the CA very likely also issued an OCSP response that says the cert is 
> good for the first 7 days; even without fetching the OCSP response I 
> can conclude that even if I fetched one or got one via stapling, it 
> would say that the cert was valid. Since I already know the answer, I 
> don’t have to ask the question.

Really? Didn't it ever happen that a certificate was issued and shortly 
after that, a post check detected a mistake and it was revoked before 
the subscriber even could install it at the server? Since the client 
also doesn't know which maximum validity and nextUpdate have been set by 
the CA, it can't even assume it's seven days either.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/8e4e7d66/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/8e4e7d66/attachment-0001.p7s>

More information about the Public mailing list