[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Mar 23 10:37:53 UTC 2013
On 03/23/2013 02:59 AM, From Rick Andrews:
> My logic was this: I see a 2-year cert that was issued one day ago;
> the CA must have thought it was valid or it wouldn’t have issued it;
> the CA very likely also issued an OCSP response that says the cert is
> good for the first 7 days; even without fetching the OCSP response I
> can conclude that even if I fetched one or got one via stapling, it
> would say that the cert was valid. Since I already know the answer, I
> don’t have to ask the question.
Really? Didn't it ever happen that a certificate was issued and shortly
after that, a post check detected a mistake and it was revoked before
the subscriber even could install it at the server? Since the client
also doesn't know which maximum validity and nextUpdate have been set by
the CA, it can't even assume it's seven days either.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/8e4e7d66/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130323/8e4e7d66/attachment-0001.p7s>
More information about the Public
mailing list