[cabfpub] Revocation and Certificate Issue

Gervase Markham gerv at mozilla.org
Wed Jun 4 19:09:19 UTC 2014


On 02/06/14 19:58, Phillip Hallam-Baker wrote:
> I also note that (2) has the same imposition on the server as a short
> lived cert. After all, an OCSP token is kindof like a short lived cert.
> Which means that in my view any long term solution to revocation has to
> be based on short lived certs for end entity certificates plus a CRLSet
> for the intermediate certs (which is not a scaling issue as they should
> never be revoked in normal circumstances).

Why could it not be based on OCSP stapling + must table for end entity
certificates and CRLSets for intermediate certs?

Gerv



More information about the Public mailing list