[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

Paul Tiemann paul.tiemann.usenet at gmail.com
Mon Mar 25 16:47:18 UTC 2013

On Mar 22, 2013, at 11:23 PM, Ryan Sleevi <sleevi at google.com> wrote:

> If the CA has issued a valid, signed OCSP response, then they have no ability to revoke that certificate for any client that supports stapling, until that OCSP response expires.

Browsers could solve this problem by just "double checking" stapled responses in the first week of a certificate's life.


We could cure the "7 day" loophole if a certificate's OCSP responses could only be valid for 4 hours for each day the certificate has been alive, stopping when the OCSP response validity has reached the 7 or 10 day maximum.


More information about the Public mailing list