[cabfpub] Revocation and Certificate Issue
jeremy.rowley at digicert.com
Wed Jun 4 21:53:28 UTC 2014
Why not both? Short-lived certs will not work for everyone but neither will
OCSP + must staple. Since they aren't mutually-exclusive, giving people the
choice between the two permits CAs to cover different use-cases.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Wednesday, June 4, 2014 1:09 PM
To: Phillip Hallam-Baker; CABFPub
Subject: Re: [cabfpub] Revocation and Certificate Issue
On 02/06/14 19:58, Phillip Hallam-Baker wrote:
> I also note that (2) has the same imposition on the server as a short
> lived cert. After all, an OCSP token is kindof like a short lived cert.
> Which means that in my view any long term solution to revocation has
> to be based on short lived certs for end entity certificates plus a
> CRLSet for the intermediate certs (which is not a scaling issue as
> they should never be revoked in normal circumstances).
Why could it not be based on OCSP stapling + must table for end entity
certificates and CRLSets for intermediate certs?
Public mailing list
Public at cabforum.org
More information about the Public