[cabfpub] Revocation and Certificate Issue

Jeremy Rowley jeremy.rowley at digicert.com
Wed Jun 4 21:53:28 UTC 2014

Why not both?  Short-lived certs will not work for everyone but neither will
OCSP + must staple. Since they aren't mutually-exclusive, giving people the
choice between the two permits CAs to cover different use-cases.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Wednesday, June 4, 2014 1:09 PM
To: Phillip Hallam-Baker; CABFPub
Subject: Re: [cabfpub] Revocation and Certificate Issue

On 02/06/14 19:58, Phillip Hallam-Baker wrote:
> I also note that (2) has the same imposition on the server as a short 
> lived cert. After all, an OCSP token is kindof like a short lived cert.
> Which means that in my view any long term solution to revocation has 
> to be based on short lived certs for end entity certificates plus a 
> CRLSet for the intermediate certs (which is not a scaling issue as 
> they should never be revoked in normal circumstances).

Why could it not be based on OCSP stapling + must table for end entity
certificates and CRLSets for intermediate certs?

Public mailing list
Public at cabforum.org

More information about the Public mailing list