[cabfpub] Pre-Ballot - Short-Life Certificates

Rich Smith richard.smith at comodo.com
Mon Nov 3 14:51:26 UTC 2014



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Eddy Nigg
Sent: Friday, October 31, 2014 5:55 PM


On 10/31/2014 07:09 PM, Jeremy Rowley wrote:

7) Short-lived certs provide a limited hard-fail since the expiration
message for expired certs is more visible than the message received where
revocation information is unavailable

I don't agree with this entirely - a working revocation BLOCKS a visitor to
the site usually, whereas an expiration notice is not only clicked away,
from the logic of a visitor it's "just" an expiration. Meaning that this
site had a valid certificate and just failed to renew or whatever.

In my opinion browser would have to implement a similar logic as with
revocations when a short-lived certificate is expired in order to be
effective. And I highly doubt that neither CAs nor browser wish to do that.

[RWS] +100  Expiration and revocation are NOT equivalent under current
browser behavior.

8) Browsers don't need to add the certs to their CRLSets or do a call to the
CA to retrieve revocation information.

With the above logic, this isn't necessarily true if a key of such
certificates gets compromised. Such a key could be potentially used for
hundreds of certificates, depending on what the guidelines will be for reuse
of such keys. 

If the weakness of how browsers handle expired certificates will be abused
with such certificates, they might have to be included in a CRL.

9) Short-lived certs provide shorter revocation windows than currently
offered under the BRs.

Please note that the BR allows for a maximum period. CAs might use shorter
periods in addition that certain browsers don't hold OCSP responses for more
than 24 hours.





Eddy Nigg, COO/CTO


StartCom Ltd. <http://www.startcom.org> 


startcom at startcom.org


Join the Revolution! <http://blog.startcom.org> 


Follow Me <http://twitter.com/eddy_nigg> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141103/77fa9c2e/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6378 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141103/77fa9c2e/attachment-0002.bin>

More information about the Public mailing list